"Breacher Beware": mandatory notification of data breaches
A cautionary tale for IP repositories
24 September 2019
In late 2018, the Australian National University (ANU) fell victim to cyber attacks, which were only discovered in late May of 2019 amidst fears that unpublished academic material was stolen and put up for sale on the dark web. This incident follows a similar cyber attack in 2018 by hackers tied to the Iranian government, who targeted over 76 universities across 14 countries with the aim of stealing intellectual property. Clearly, the valuable nature of intellectual property inherently increases its exposure to threats of cyber theft. Against this backdrop, this article will highlight the importance of securing intellectual property data in light of Australia's Notifiable Data Breaches Scheme (NDBS).
With the evolving nature of data itself, the Australian Parliament has recognised the clear need for regulation and legislation to keep pace with technological advancements. Accordingly, this article posits that there could soon be an expansion of the NDBS beyond "personal information", in order to ensure the protection of intellectual property held by third parties, non-compliance with which could have serious financial and reputational consequences for entities storing IP data on an owner's behalf.
The increasing prevalence of data breaches
The proliferation of data has increased exponentially, as has data's relevance to commercial transactions and the consequent potential for disputes to arise in the realm of trade and commerce. Couple this with the fact that recent studies have suggested breaches of data security have increased in frequency and scope, and the associated risks for data repositories quickly begin to materialise. While these data breaches have primarily involved "personal information" (see cases of Westpac, Telstra, and the Red Cross Blood Service), the increased storage of intellectual property on online databases increases its exposure to cyber theft. Alarmingly, as hackers are becoming increasingly sophisticated, data repositories are reportedly finding it increasingly difficult to detect when they've been hacked.
As a further recent example, consider the financial and reputational impact of the recent data breach at British Airways—which exposed 500,000 customers to the threat of financial fraud because credit card information had been stolen for illicit purposes—resulting in the company potentially being fined £183 million (equating to approximately 1.5% of the its annual turnover for FY2017) - See our article GDPR sharpens its teeth with two record-breaking fines in two days. Consider too the fact that Verizon Communications' purchase price of Yahoo! Inc. in 2016 was slashed during negotiations by US$350 million as a result of data breach liability being uncovered in the due diligence process (with Yahoo! Inc also agreeing to pay 50 per cent of costs in respect of related private litigation).
As a corollary to the above matters, cyber security must similarly be 'ramped up' by corporates and data repositories to ensure protection of information stored online, lest they suffer the consequences of financial and reputational damage, particularly if data breach liability extends into the highly valuable IP space.
IP and Australia's NDBS
Australia's NDBS was implemented in February 2018 and applies to all organisations which are required to comply with the Privacy Act 1988 (Cth). It put in place a mandatory notification scheme vis-à-vis unauthorised access to "personal information" held by that organisation, to the extent that access results in serious harm to the individuals to whom the information relates. Since the NDBS was introduced, notification of data breaches in Australia has increased by 712%. Given the effectiveness of the NDBS to date, coupled with the increased prevalence and scope of cyber attacks discussed above, it is foreseeable that mandatory reporting of data breaches could extend beyond "personal information" and into the realm of IP.
In this connection, the Australian Government has recently announced plans to reform Australia's privacy laws, including increased penalties for privacy breaches, and additional enforcement powers for the Office of the Australian Information Commissioner (OAIC). Senator Penny Wong has previously spoken of the Australian peoples' concerns about privacy in the digital age, and their placing of faith in the Australian Parliament to respond in the appropriate way to data breaches. Relatedly, Senator Catryna Bilyk has credited the NDBS as being critical to understanding the gravity and magnitude of data breaches. It is therefore conceivable that the media scrutiny attending the ANU data breach might trigger public expectations vis-à-vis mandatory reporting of data breaches at large (i.e. not merely breaches specific to "personal information"). Indeed, widening of the existing scheme has already been contemplated in Australian public discourse.
Whilst it is fair to say that theft of "personal information" still garners the most media and parliamentary attention, IP theft is emerging as a risk weighing on corporate decision makers' minds. A recent study commissioned by software developer Bromium revealed that theft of trade secrets and intellectual property accounted for $500 billion dollars globally—a third of the overall revenue generated by cyber crime. Similarly, renowned security software developer McAfee released a report in April 2019 which expressed the view that cyber terrorists are as equally focused on intellectual property theft as they are on personal information.
Even ignoring the prospect of legislative reform, it is likely that, in many cases, intellectual property already incorporates a degree of "personal information". For example, a patent lawyer will often need to collect personal data of the inventors for the purposes of their patent application. Accordingly, the current NDBS regime may already be triggered by IP cyber theft if it can be determined that personal data was obtained as a result. In support of this proposition, consider Privacy Commissioner v Telstra Corporation Ltd  FCAFC 4, where Kenny and Edelman JJ reasoned that information "about an individual" merely requires that the individual be the subject matter of the information. Accordingly, data that includes information such as names of individuals, could fall within the operation of the Privacy Act, with the consequence that intellectual property such as the stolen unpublished academic works held in the ANU case may well be subject to the existing NDBS if the works include the author's name(s). Having said that, academic commentary posits that Australian case law on this issue remains unclear (at least when compared to international counterparts), with the consequence that legislative intervention may be required to fill any voids created by judicial interpretation.
Potential consequences and practical implications
Irrespective of whether the NDBS extends to the IP sphere or not, data repositories must take practical steps to minimise the threat of cyber theft. This includes a streamlined approach to handling all data (including intellectual property data) and the introduction of compliance programmes and employee training. Companies must also develop action plans to ensure an orderly and appropriate response to a breach, in order to minimise any damage that may result. Those responses (and the timeliness of them) will be scrutinised by regulatory bodies and will likely be wholly determinative of any decision to commence enforcement action. When combined with the significant and persistent threat of collateral or standalone class actions (as a means of private regulation), the risks for data repositories are too great to ignore.
Accordingly, irrespective of the onerousness of the applicable obligations, a stringent approach is recommended (including when considering appropriate levels of insurance coverage, given the valuable nature of most IP) to ensure compliance and transparency. At a minimum, data repositories should ensure they follow the OAIC's basic four-step guide to responding to data breaches:
- Contain the data breach to prevent any further compromise of information.
- Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, taking action to remediate any risk of harm.
- Notify the data breach to the individuals concerned and the OAIC.
- Review the incident and consider what actions can be taken to prevent future breaches.
KEY TAKE-AWAY POINTS
- In May 2019, the Australian National University (ANU) notified students, staff and alumni of a cyber attack involving 19 years' worth of personal data, which included unpublished academic works feared to have been put up for sale on the dark web. This incident follows a similar cyber attack in 2018 by hackers tied to the Iranian government, who targeted over 76 universities across 14 other countries with the aim of stealing intellectual property.
- Australia's Notifiable Data Breach Scheme is evolving and may soon intersect with the field of intellectual property (or, in certain respects, may already).
- Corporates, government agencies and NGOs that hold sensitive intellectual property on online databases should be wary of the threat of cyber attacks (coupled with the consequent litigation risk) and take whatever steps necessary to limit their exposure.