Sony has reportedly reached a settlement with its present and former employees over the loss of employee SSN's and other personally identifiable information resulting from the 2014 hack attributed to the North Koreans: see link. But what would have happened if Sony had been an Australian company or carrying on business in Australia?
Firstly, it's not clear that Sony would have breached the Privacy Act 1988 (Cth). The Australian Privacy Commissioner has been fairly consistent that a hack does not result in an unauthorised disclosure by the hacked entity (so no breach of APP 6). However, depending on the security controls in place, there may be a breach of APP 11 (which requires entities to take reasonable steps to protect personal information). Whether there may have been a breach of APP 11 raises the bigger question of the application of the Privacy Act to employee records held by non-government agencies. Acts or practices of employers are exempt from the Privacy Act if they are directly related to:
- a current or former employment relationship, and
- an employee record held by the entity,
(For more information: see link.)
Based on that, the exemption would on its face seem to cover everything to do with employee records, provided the act is part of the normal employment relationship, rather than, for example, selling employee details to a marketing company. If correct, employees would have no recourse under the Privacy Act and the Commissioner would have no basis on which to commence an investigation into a hack which results in the unauthorised access to or disclosure of employee records.
However, it has been suggested that failing to properly secure an employee record may not be an act of practice directly related to the employment relationship and thus may fall outside the exemption. Something that may be worth clarifying?
Apart from the Privacy Act, employees may be able to take an action (perhaps a class action?) in negligence which raises the issue proving damages. Without proof of some fraudulent activity such as identity theft as a result of the negligence it is difficult to see what the damage would be claimable. Breach of confidence would seem a more likely cause of action.
Otherwise employees might have to wait and see if any State government is prepared to introduce a statutory right to sue for breach of privacy, the main missing piece in the Australian privacy regulatory landscape. NSW looks like it could be the first off the rank, with Mitchell Pierce’s now infamous Australia Day antics being used to illustrate the harm from publishing secret mobile phone recordings (see story).