Mandatory data breach notification laws hit NSW

What you need to know

• The NSW Parliament passed the Privacy andPersonal Information Protection Amendment Bill 2022on 16 November 2022.
• The Bill:
  
  • introducesmandatorydata breach notices in NSW (which currently has a voluntary regime);
  • requires agencies to have theprivacy management plans, data breach policies and data breach registersto support the mandatory notification scheme;
  • brings more pro-active, interventionist and cyber focusedfunctions and powersto the NSW Privacy Commissioner; and
  • extends NSW privacy law to coverNSW State owned corporationsnot covered by Commonwealth privacy law.

• The reforms amend thePrivacy and Personal Information Protection Act 1998(NSW), and impact NSW public sector agencies, including NSW agencies and departments, statutory authorities, local councils, bodies whose accounts are subject to the Auditor General, some universities and State owned corporations not covered by Commonwealth privacy laws.
• Agencies will have12 months to complywith the new rules.
• The reforms come after more than three years of consultation. Expect other jurisdictions to follow.

What you need to do

• While the reforms will have a 12 month lead-time, agencies shouldbuild (and fund) cyber resilience maturity– in particular the capability to monitor, record, assess, report and act on cyber incidents.
• Climb the learning curve– the Information and Privacy Commissioner will publish an e-learning module and guidelines, including guidance on how agencies should assess data breaches.
• Designresilient monitoring, assessment, recording and reporting frameworks——鼓励健壮和docum新规则ented processes – but these documents can themselves be valuable to attackers. Agencies need to design frameworks that will work while systems are compromised.
• We expect the Privacy Commissioner to use these new regulatory tools to push cyber maturity in agencies. The Audit Office of New South Wales issued a series of reports in 2021 investigating cyber maturity in a range of NSW public sector agencies, with some key lessons that can be acted on today
  
  • Prioritisecyber maturityas a matter of urgency
  • Demonstrate持续改进对新南威尔士州网络安全内核ity Policy, which sets out 25 mandatory requirements, including implementing the Australian Cyber Security Centre's "Essential 8" strategies
  • Driveconsistency in policies, processes and definitionaround security incidents and data breaches to ensure data breaches are recorded in registers, and take action to address root causes
  • Identify your most vital systems - your"crown jewels"
  • ImproveITcontrols, particularly around user access administration and privileged user access

• Assess and manage cyber supply chain risk when procuring goods and services and in the management of contractors. Often supply chains provide a weak link in organisational security and need to be considered and managed appropriately.

What data breaches need to be notified?

The NSW mandatory data breach scheme is designed to be consistent with the Commonwealth scheme, as some incidents may trigger both regimes (eg if tax file numbers are involved).
An eligible data breach is one that is likely to result inserious harm. The bill includes factors that may be considered, including the types and sensitivity of information and security measures.
Notification is not required wheremitigation stepstaken mean serious harm is not likely to occur. Other exemptions include where notification:

• presents cyber risks
• is given by another affected agency
• presents a serious risk of harm to health or safety

Contain, assess, notify

An employee or officer must report a suspected eligible data breach to the agency. The agency must:

• Contain:immediately take all reasonable steps to contain the data breach
• 评估:expeditiously, and within30 days, assess whether the data breach is an eligible data breach (this period can be extended by the head of the agency)
• Notify:once an eligible data breach is confirmed, the agency must notify the NSW Privacy Commissioner immediately, and affected individuals as soon as practicable (or if notifying individuals is not practical, publish a notification)

Update plans, policy and register

Agencies must:

• updateprivacy management plansto cover the data breach notification scheme
• publish adata breach policy
• maintain aninternal registerof eligible data breaches – including details such as mitigation steps, actions to prevent future breaches and estimated costs of breaches

While these requirements may at first appear administrative, they will practically require agencies to review, design and document operational and governance arrangements to prepare for, defend against, mitigate and recover from incidents.

Internal process documents, and in particular the internal register, will be valuable information to a threat actor. Know how you will document the steps taken to identify, respond to, report and recover from an incident. Consider communications and records protocols, particularly if corporate systems might be accessible to threat actors.

New functions and powers

The NSW Privacy Commissioner will have new functions and powers that signal a morepro-active, interventionist and cyber-focused regulator.

These include to:

• investigate, monitor, audit and report on compliance with notification scheme, including data handling
• assist agencies to prepare data breach policies and comply with the scheme
• observe systems, policies and procedures
• observe demonstrations of data handling systems, policies, procedures and inspect documents
• direct an agency to prepare a statements about suspected eligible data breach, and recommend notification to individuals as if it was an eligible data breach
• issue reports and guidelines

The new functions and powers will make it easier for the Privacy Commissioner to assist with and uplift the capabilities of agencies. They also allow the Privacy Commissioner to "look under the hood" of agency operations, and potentially to name and shame agencies that fail to take action.

Independent oversight and monitoring is not new to NSW agencies – cyber resilience is an ongoing focus for the Audit Office of NSW. However, new powers and functions may give the Privacy Commissioner leverage todrive change and impact budgets.

Other jurisdictions will follow suit

As in NSW, mandatory data breach notifications have been on the agenda in other jurisdictions for some time.

• The Queensland government consulted on introducing a similar mandatory data breach notification scheme in June 2022.
• The Office of the Victorian Information Commissioner called for mandatory data breach notifications in September 2022 after a department failed to notify people that their data had been accessed by a man convicted to sexually assaulting a child.
• In 2019, the Western Australian Office of the Information Commissioner submitted that the Western Australian Government should consider a mandatory reporting scheme.

The NSW legislation will ease the path to introducing similar regimes, modelled on the Commonwealth regime, in other jurisdictions.

Authors:Rebecca Cope (Partner, Digital Economy Transactions), Mathew Baldwin (Partner, Digital Economy Transactions), Tim Brookes (Partner, Digital Economy Transactions), Andrew Hilton (Expertise Counsel, Digital Economy Transactions) and Dominic Christie (Lawyer, Digital Economy Transactions).

_{This publication is a joint publication from Ashurst Australia and Ashurst Risk Advisory Pty Ltd, which are part of the Ashurst Group.}

_{The Ashurst Group is global, and comprises Ashurst LLP, Ashurst Australia and their respective affiliates (including independent local partnerships, companies or other entities) which are authorised to use the name "Ashurst" or describe themselves as being affiliated with Ashurst. Some members of the Ashurst Group are limited liability entities.}

_{Ashurst Risk Advisory Pty Ltd (ABN 74 996 309 133) provides services under the Ashurst Risk Advisory brand. The services provided by Ashurst Risk Advisory Pty Ltd do not constitute legal services or legal advice, and are not provided by Australian legal practitioners in that capacity. The laws and regulations which govern the provision of legal services in the relevant jurisdiction do not apply to the provision of non-legal services.}

_{关于艾舍斯特组和t的更多信息bob正常玩会被黑吗he services offered, please visit www.hschangyihong.com.}