The Panama Papers – Are You Next?

Amendments to the Privacy Act for serious breaches

The recent spectacular leak of documents from the Panama law firm Mossack Fonseca illustrates just how easy it is with modern technology to access and disseminate vast amounts of information. The leak is said to have comprised some 2.6 terabytes with some 4.8 million emails, 3 million database entries, 2.2 million PDFs, 1.2 million images, 320,000 text files and 2,242 files in other formats.[i]

It is not known how the leak from Mossack Fonseca occurred. The data was provided by an anonymous source to a German newspaper under strict conditions to prevent identification of the source. Mossack Fonseca has reportedly said that this was not an “inside job” but that the firm had been “hacked”.[ii]

Could this happen to you?

The Australian Cyber Security Centre released in December 2015 the 2015 ACSC Cyber Security Survey: Major Australian Businesses.  Respondents to the survey reported cyber security incidents (those considered to have harmed the confidentiality, integrity or availability of a network’s data or systems) in the last 12 months. As the name of the survey indicates, most of the respondents (67%) were from large organisations (200+ employees), 23% from medium-size organisations (21-199 employees) and 10% from small organisations (less than 20 employees). A breakdown of the responses was:

  • no incidents – 42%
  • 1 to 5 incidents – 40%
  • 6 to 10 incidents – 6%
  • 10+ incidents – 5%
  • don’t know – 8%.

Respondents to the survey identified the following cyber threats that they considered to be of the most concern:

  • 72% – ransomware or scareware
  • 70% – theft or breach of confidential information
  • 67% – targeted malicious emails
  • 62% – unauthorised access to information from an outsider
  • 58% – social engineering
  • 56% – unauthorised access to information from an insider
  • 55% – loss or destruction of information
  • 54% – loss of serviceability
  • 52% – virus or worm infection
  • 46% – trojan
  • 46% – unauthorised modification of information
  • 40% – theft or loss of intellectual property
  • 40% – rootkit malware
  • 36% – denial of service attack
  • 32% – compromise of mobile devices and laptops
  • 24% – wire fraud
  • 22% – theft of mobile devices and laptops
  • 7% – other.

Responses indicated that the following were the cyber actors of most concern:

  • 60% – trusted insiders
  • 55% – issue motivated groups or hacktivists
  • 54% – organised criminal syndicates
  • 54% – state-based actors
  • 45% – individuals
  • 4% – other.

From these responses, and anecdotally, the potential for a cyber attack and unauthorised access to information on a network is far from remote, particularly with substantial increases in ransomware attacks.

Reporting of incidents

The ACSC Report indicated that only 51% of respondents reported cyber security incidents to an official body such as CERT Australia (the Australian national computer emergency response team) or law enforcement agencies or ACORN (the Australian Cybercrime Online Reporting Network).

Another regime may soon exist for mandatory reporting of incidents which result in unauthorised disclosure of personal information or credit information within the ambit of the Privacy Act 2008 (Cwlth). An Exposure Draft Bill, the Privacy Amendment Bracket Notification of Serious Data Breaches) Bill 2015, has been released for comment and submissions closed on 4 March 2016.

Privacy Act amendments

The amendments that are proposed in the draft Bill arise from Report 108 of the Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice. The main concern is the increasing amount of personal information held in relation to individuals and the possibility of identity fraud.

The Discussion Paper for the draft Bill indicates that the intention is that:

  • notification to the Australian Information Commissioner and to an affected individual would be required for a serious data breach
  • a serious data breach will be one involving unauthorised access or disclosure of personal information, credit reporting information, credit eligibility information or tax file number information
  • the unauthorised access or disclosure must be such as to put any of the individuals to whom the information relates at real risk of serious harm.

Notification would be required if a serious data breach has occurred, or if an entity has reasonable grounds to believe that this has occurred.

Submissions have been made by numerous organisations in relation to the draft Bill. Many submissions, including that of the Australian Information Industry Association raise concerns at some of the unclear concepts and strict obligations that are contained in the draft.

The Discussion Paper issued with the draft Bill Office of the Australian Information Commissioner (OAIC) will issue guidelines for concepts. The OAIC already has an extensive Data Breach Notification Guide, issued in 2014.

The Government is considering submissions and is in the process of preparing a revised draft Bill for Parliament. If an Act is passed that is consistent with the draft Bill, it will commence 12 months after Royal assent.

Who will be subject to the Notification Requirements?

The requirements for notification in the draft Bill, if it becomes an Act, will apply to any entity that is an APP entity under the Privacy Act. This will include any business with an annual turnover of more than $3 million, and will also include any business that provides a health service (as widely defined) or any business providing personal information in return for benefits.

Australian Cyber Security Strategy

The Australian Government recognises the risks that are posed by data breaches and on 21 April 2016 released an Australian Cyber Security Strategy. The Attorney-General’s Department advises that the Strategy establishes five themes of action for Australia’s cyber security over the next four years to 2020:

  • a national cyber partnership between government, researchers and business
  • strong cyber defences
  • global responsibility and influence
  • growth and innovation
  • a cyber smart nation.[iii]

The Government will commit $230 million to advance the strategy, indicating the seriousness with which the Government views cyber security and protection of data.

Business Security Strategies

In view of the increasing prevalence of cyber threats, all businesses would be wise to ensure that they have appropriate security strategies and safeguards. What may be appropriate for any particular organisation will depend very much on its size, operations and circumstances.

Losses and liabilities that may arise from an adverse cyber security incident can be substantial. Apart from internal disruptions and costs, liabilities may exist to individuals and other third parties, whether by reason of Privacy legislation or by reason of obligations of confidentiality and care that may be owed to other parties with information held by an organisation.

The ACSC Report mentioned above indicates that predominant factors contributing to industry cyber incidents were identified as staff errors or omissions and poor security culture, as well as misconfigured systems and sophistication and targeting of the incidents. Having comprehensive and appropriate staff policies, procedures and guidelines, as well as training and information in relation to IT security and management, can substantially reduce the risks.

DW Fox Tucker can assist in preparing and reviewing policies and conditions for IT management, as well as policies that are specifically required by legislation as an APP Privacy Policy and a Credit Information Policy.

[i] Wikipedia,­Papers, Leak timeline and logistics.

[ii] Ibid, Mossack Fonseca responses.

[iii] Attorney-General’s Department,


For more information, please contact:
Sandy Donaldson

Sandy Donaldson
p.  +61 8 8124 1954
e.  Email me

This communication provides general information which is current as at the time of production. The information contained in this communication does not constitute advice and should not be relied upon as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Should you wish to discuss any matter raised in this report, or what it means for you, your business or your clients' businesses, please feel free to contact us.

Legal Enquiry

Need assistance? Describe the matter and we’ll be in touch asap.

Legal Enquiry Form

News Subscription

Stay up to date. Key legal developments, firm news and events.

Subscribe Now


Level 14, 96-100 King William Street Adelaide SA 5000

CALL +61 8 8124 1811

Connect with us

© Copyright - DW Fox Tucker Lawyers - Commercial Lawyers Adelaide