MANDATORY DATA BREACH NOTIFICATION AND HACKING THE SMART HOME : A LEGAL RESPONSE TO CYBERSECURITY ?

This paper will investigate whether the Australian legal and regulatory framework sufficiently addresses cybersecurity concerns particular to the smart home. Specifically, the paper will analyse the extent to which the introduction of the data breach notification scheme in Australia will apply to smart home device manufacturers regulated by the federal Privacy Act 1988 (Cth) regarding device breaches. By examining Australian Privacy Principle 11 and the introduction of mandatory data breach notification, the paper aims to determine whether the Australian privacy model of Principles-Based Regulation is capable of providing a market-based solution to cybersecurity concerns in the smart home.


I INTRODUCTION
The law has traditionally recognised the home as a private and passive space, wherein there is a reasonable expectation of privacy. 1 Cory J in the Canadian case R v Silveira stated that 'there is no place on Earth where persons can have a greater expectation of privacy than within their dwelling house.' 2 The smart home marks a new frontier in the digital disruption caused by the emergence of the Internet of Things landscape.While the smart home promises users unparalleled freedom and flexibility, there is a risk that the devices converging to create the smart environment may have poor in-built security measures, making infiltration attractive to hackers. 3 The dangers are especially prevalent in a world where smart home devices are becoming progressively interconnected in the amount of data that is transferred and stored between them. 4The smart home, therefore, presents a primary example of the challenges facing an increasingly digitised society.Given the steady increase in demand for smart home device products, and the relative concerns which have been raised as to their level of security and consumer privacy protection capabilities, the problems presented by the insecurity of data and its systems arise as significant concerns in the smart home environment. 5art IV of the paper analyses the frameworks introduced in Part III, and their potential application to smart home devices.It is stated that Australian Privacy Principle 11 is unlikely to apply in the smart home environment, and so the introduction of the mandatory data breach notification scheme is analysed to determine whether the scheme may be of potential relief for consumers of smart home devices.Further tensions within the data breach notification scheme and APP 11 are identified, and inconsistencies highlighted.It is argued that the increasing interconnectivity of data in smart home devices does not readily fit within the traditional conception of privacy law frameworks.
Part V concludes the paper by noting that the impact that mandatory notification laws will have on smart home devices remains unknown.Nevertheless, the application of smart home device data breaches to a Principles-Based Regulation approach does not provide a clear market-based solution to the joint rise in the smart home market and the increasing sharing of data between internet connected devices and platforms.

II CYBERSECURITY AND THE SMART HOME A Background
The introduction of the smart phone offered users instantaneous access to information and 'all-in-one functionality', which slowly gained the trust and dependency of its consumers. 7The smart home finds its natural evolution from this trust and dependency, enlivening the vision to entrench devices and the These may include unsecured factory default settings and passwords, which can leave consumers vulnerable to hackers easily installing malware to gain access to entire home networks. 6Australian Cyber Security Centre, '2017 Threat Report' (Report, Australian Government Australian Cyber Security Centre, 2017). 7 'ultimate digital assistant' into the home. 8The smart home forms part of the broader Internet of Things ('IoT') landscape.While there is a myriad of potential definitions of IoT,9 in essence it refers to the: Interconnection of sensing and actuating devices providing the ability to share information across platforms through a unified framework, developing a common operating picture for enabling innovative applications.This is achieved by seamless ubiquitous sensing, data analytics and information representation with cloud computing as the unifying framework. 10e smart home is concentrated on 'smart connectivity of objects with existing networks and contextaware computation using network resources.' 11The smart home signals a shift in the increase of invisible infrastructure, where technology is no longer monolithic but now has a malleable duality, capable of constant change. 12It is a point of intense contact between the user and the device. 13Through the implementation of smart home devices, the ultimate vision is to create 'ambient computing' in the home where 'smart devices disappear into the background, consumers only [having] to consider the tasks they want performed, and no longer have to consider which device … will be capable of performing that task.' 14 In order to achieve this, various computational nodes ('smart home devices') are connected in the home.Hidden within these smart home devices are advanced technological processes of collection, storage and use. 15For example, the smart television, with its abilities of content sharing and web browsing, is widely considered a major step towards the convergence of computing and entertainment. 16Two issues arise in the context of the smart home: the collection, and the consolidation of, information. 1

Collection and Consolidation of Information
Smart home devices can be generally categorised into four segments: safety, health, energy and entertainment orientated devices.17Manufacturers and software providers of smart home devices, provided they meet the annual turnover requirement of over three million Australian dollars per financial year,18 may be regulated by the Privacy Act 1988 (Cth) ('Privacy Act') in relation to obligations regarding online privacy and data protection. 19The manner in which data is collected is generally unobtrusive, in furtherance of the ultimate vision of ambient computing, and consumers of these devices may not necessarily understand the breadth of data collection potentially occurring in a single smart home network. 20Data is collected and consolidated through a multiplicity of devices to provide the user with 'familiarity', storing consumer preferences such as light brightness in a smart light bulb, or temperature settings in a smart thermostat. 21Interconnectivity between smart home devices, such as a lightbulb and thermostat, facilitate the objective of ambient computing by creating a network of sensors that detect external elements such as light, temperature and motion. 22The devices then collect, send and receive data autonomously between each other for ultimate control and monitoring by a smart home user. 23A consequence of modern data flow is that the data collected and sent from a smart home device will invariably be stored and received through a multitude of international servers.Though beyond the scope of exploration in this paper, considerable difficulties are presented by the regulation of such transnational data transfer, collection and storage. 24These challenges are many and varied and are of particular prevalence from the perspective of international organisations in consideration of the varying standards for compliance across numerous jurisdictions of operation in which data may be shared. 25e unique and varying nature of data collected thus increases an individual's digital trail, and goes 'much closer to knowing and understanding the unique complexities and individual features of human beings' than may be expected. 26For instance, the Google Home 'may combine personal information from one service with information, including personal information, from other Google services.' 27The device may combine user data from various sources such as Gmail, Google Drive and the user's web history. 28The device also offers third party application integration, allowing aggregation of data from platforms such as Uber, Spotify and FitBit. 29 order for a smart home to provide ever-present assistance and functionality to users, connected devices must establish a presence in the home alongside other internet connected devices and facilitate the transfer of data between them to perform tasks. 30 devices in a smart home network by relaying data through 'transmissions' which are secured through 'protocols', typically through Wi-Fi in a home gateway router. 31However, where information is stored and data is capable of being accessed through multiple and potentially unlimited numbers of devices, invariably issues of mixed ownership arise due to the diversity of entities dealing with data on multiple devices and managing the increasing interconnectivity between them.Richard Mason, an information management scholar, foreshadowed in the 1980s that eventually the 'increased collection, handling and distribution of information will pose serious threats to the privacy, accuracy and accessibility of personal information.' 32The handling of such data stored in a smart home thus raises questions in relation to legal responses to potential hacks, and obligations on entities to provide cybersecurity protocols. 33

B Cybersecurity Threats to the Smart Home
There are three cybersecurity threats which are of particular relevance to the smart home.These are data and identity theft, device hijacking, and ransomware.The Australia Cyber Security Centre ('ACSC') 2017 Threat Report ('the Report') discusses the prevalence of these risks to cybersecurity more generally. 34The Report emphasises the increasing sophistication in attacks by cyber criminals, but notes that many networks are compromised using 'publicly known vulnerabilities' which have known mitigations. 35In the context of the smart home, the infrastructure of the devices comprising the home environment may expose the network to shared vulnerabilities. 36This may arise either from poor cybersecurity protocols in a particular device, or result from outdated software nearing the end of its product life-cycle. 37Nevertheless, hackers may target these vulnerabilities and infiltrate a smart home network through physical proximity to the home, or remote activation and access of the sensors in the smart devices. 38

Data and Identity Theft
The potential for identity theft and crime in internet connected devices is not necessarily particular to the smart home. 39Data and identity crimes have an estimated annual economic impact of over two billion dollars in Australia; four to five per cent of Australians are victims of identity crime resulting in financial loss annually. 40udies have shown, however, that there is a link between the increase in the amount of personal information stored in a network and the incentive for hackers to breach that network and commit data and identity theft crimes. 41Although these cyber-attacks can be widespread, smart homes present a more susceptible and attractive target for hackers due to their complex interconnected nature.This is because the sheer volume of data stored in even a small number of connected smart home devices provides more opportunity and incentive for hackers to extract personal information than would be possible from 'less rich data sets'. 42Where multiple devices are connected on a single smart home network, the network becomes increasingly vulnerable to hacking due to a larger 'attack surface'. 43ccess to one device may provide a hacker with a gateway into all of the smart home devices connected on that network and the data that they store. 44e most common method of data and identity theft in the smart home is through credential-harvesting malware, where hackers bypass security protocols through social engineering and 'credential phishing'. 45The granular data collected in the smart home through a multiplicity of devices compiles to form a unique digital profile of the user.The digital profile is capable of detailing both the consumer's behaviour, such as viewing habits on a smart television or energy consumption on a smart meter, 46 and providing essential information which may be used for document forgery, such as in passports or drivers' licences. 47Hackers may either use stolen data personally or sell it on dark web marketplaces for use in financial crime or identity theft. 48The nature of this personal information also appeals to stalkers, who by accessing the data may gain knowledge of a potential target's home and their lifestyle patterns, and may make inferences based on physical proximity. 49Device Hijacking The purpose of smart home devices is to automate processes and simplify tasks. 50The hyperconnectivity of devices in a smart home environment necessarily entails high levels of communication and data transfer between different smart devices over a range of protocols and technologies. 51These protocols contain differing levels of security, and could thus allow a 'weak link' to be identified by a hacker for targeting, allowing them to gain access to the whole smart home network. 52For example, the Philips Hue lightbulb has been criticised for its poor security, as the bulb does not encrypt data before it is transferred to another device. 53This may allow a hacker to send commands to override and infiltrate the second device merely by gaining access to the lightbulb. 54A similar situation may also arise for smart devices with outdated software, which increases the device's susceptibility to a security breach. 55Studies have shown that many smart home devices are configured with identical or substantially similar software and firmware, which increases the potential for a hacker to exploit common vulnerabilities in a range of devices connected on a single smart home network. 56ima facie, individual data from a single smart device such as a lightbulb may not necessarily provide access to a wide range of data on consumer behaviour. 57However, preferences stored in devices like smart lightbulbs may indicate whether or not a consumer is presently at the home by sending a 'current status' update. 58This would provide the hijacker with 'a source of close, granular and intimate data on the activities and behaviour' of the smart home's inhabitants.' 59Further, once a device is hijacked, a 'man-in-the-middle' attack can be made between smart home devices as a result of the 'weak link' in the smart home environment. 60'Man-in-the-middle' attacks involve the hijacker making independent connections with various devices and relaying communications between them. 61milarly to cases of data and identity theft, unique data from multiple devices can be obtained via device hijacking, which allows hijackers to gain contextual knowledge about the individuals and inhabitants of a smart home. 62Pieced together, the inferences made based on learned behaviour have the potential to 'paint a near complete and accurate digital portrait of users.' 63 From utilising this method, a hacker in physical proximity to an infiltrated smart home may remotely access the compromised devices and use this to create a physical attack on the inhabitants.Smart thermostats may be used to increase heating system temperatures and cause pipes to burst by altering user inputs, 64 or surveillance cameras may be remotely turned on to view activities of inhabitants inside the home. 65Ransomware Ransomware is a method used by financially-motivated hackers to extort funds from victims by blocking access to, or controlling, user data. 66The method is a persistent and prevalent threat both in Australia and worldwide, with an 'increasing frequency and variation of campaigns' being reported. 67hen this method is applied to a smart home environment, manipulation of data in the devices may be pushed to extremes in the pursuit of revenue generation. 68For example, distributed denial-of-service ('DDoS') attacks may be made to shut down a home network or tamper with devices. 69Hackers may then demand a ransom through an internet connected printer to restore access. 70Alternatively, a hacker who has gained control of a smart home network may orchestrate a physical attack through a smart device and deny inhabitants access to security devices like smart locks or garage openers. 71Smart televisions are also vulnerable to malicious malware.Malware 'Revoyem' redirects users on smart televisions, through its web browsing facilities, to child-pornographic-themed pages, and demands payment to 'clean' the system. 72I LEGAL RESPONSES TO THE SMART HOME Cybersecurity in Australia is not directly regulated by a single governing piece of legislation.Rather, there exists a patchwork of different laws, regulations and guidelines which regulate conduct and place obligations on 'entities' subject to the Privacy Act. 73Non-compliance with those obligations render an entity liable to punishment and enforcement under the civil penalty framework imposed by the Privacy Act. 74This part of the paper will examine and discuss the current privacy law framework in Australia in relation to potential forms of relief that may be sought by an affected smart home device user following a hack.Specific emphasis will be placed on the rationale of Australia's Principles-Based Regulation framework, reasonable steps to protect personal information under Australian Privacy Principle 11, and the introduction of the mandatory data breach notification scheme.

A Principles-Based Regulation
The privacy regime adopted in the Australian model is based on the 1980 Organisation for Economic Co-operation and Development's (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data ('OECD Guidelines'). 75The OECD Guidelines, and hence Australia's regulatory framework of legal obligations in information security, are modelled on Principles-Based Regulation ('PBR').Australia's adoption of PBR is widely accepted. 76Of particular interest to this paper is the OECD Guidelines' advancement of the 'security safeguards principle', which states that 'personal data should be protected by reasonable security safeguards.' 77 PBR distinguishes the regulator from the regulated.In Australia, these most commonly amount to the Office of the Australian Information Commissioner ('OAIC') and the entities subject to the authority of the Privacy Act. 78Julia Black, a leading scholar in PBR, has explained the theory as effectively involving a shift in responsibility from the regulator to the regulatee. 79The delegation of regulatory function is described as a conscious and deliberate intention by the regulator to influence the regulatee's internal systems of management and control. 80The delegation of control inherent in this theory is consistent with 'meta-regulation'. 81PBR requires and assumes a high level of trust and cooperation on the part of the regulatee to be competent and responsible, maintaining 'regulatory conversation' with the regulator. 82It reinforces the notion of the 'self-observing, responsible organisation.' 83 prevent the market being dis-incentivised, the regulatee, assumedly understanding its own environmental context, self-regulates.It is assumed that these entities, through corporate culture, will maintain a level of corporate social responsibility to consumers, particularly in the form of cybersecurity. 84The Australian model has been referred to as 'light touch regulation' by its national government, as maximum flexibility is maintained in allowing entities freedom to meet principle-based statutory outcomes by developing innovative forms of compliance. 85PBR can be contrasted to a hierarchical rule-based regime, where 'bright line' and specific rules are adopted. 86PBR is argued to provide an advantage over the hierarchical approach by identifying broad principles which encourage compliance with the spirit rather than the letter of the law. 87The model attempts to prevent the stifling of progress, particularly at the design level, by not burdening entities with obligations to incorporate specific security features to strengthen the protection and integrity of a particular device. 88wever, the PBR regime has been criticised for allowing regulators to act retrospectively, increasing the level of uncertainty of consumers and regulatees as to their standing regarding current conduct and measures, and reducing predictability of regulatory responses to future disputes.It is argued that PBR provides inadequate protection to consumers by creating a corporate culture of adhering to the very 'minimum level' of compliance, hence failing to afford certainty and predictability to consumers. 89ey to the successful implementation of PBR, therefore, is the manner in which it is implemented and the institutional context which surrounds it.Without this context, PBR's 'light touch' regulation may lead to a market consensus of risk-taking in the pursuit of profit over product safety, 90 and the use of ineffective compliance systems based on internal organisational control. 91Australian Privacy Principle 11 The Australian Privacy Principles (APP) were introduced to the Privacy Act under the Privacy Amendment (Enhancing Privacy Protection) Act 2012, 92 and commenced operation in 2014. 93The APPs replaced the now-repealed National Privacy Principles and Information Privacy Principles. 94UT Law Review -Vol 18, No 2 | 277 They are designed as a broad 'technology-neutral approach' for application to current and future technologies, and reflect PBR by acting as 'high-level principles' to guide data management practices of entities regulated under Privacy Act. 95APP 11 does not mandate specific security obligations on entities. 96Each entity ultimately takes the onus and responsibility of determining how to comply with the APPs in the context of their specific circumstances and the data management practices in which they employ. 97 the context of obligations for cybersecurity in the smart home, APP 11 is of most relevance as it relates to security of personal information. 98APP 11.1 states that if an APP entity 'holds personal information' it must take 'such steps as are reasonable in the circumstances' to protect the information from: 'misuse, interference and loss', as well as 'unauthorised access, modification or disclosure.' 99 'Personal information' is defined under section 6(1) of the Privacy Act as 'information or an opinion about an identified individual, or an individual who is reasonably identifiable.' 100 An entity 'holds' personal information if the information complies with the definition of 'personal information' under section 6(1) and the entity 'has [physical or electronic] possession or control of a record that contains the personal information.' 101

Such Steps as are Reasonable in the Circumstances
The Explanatory Memorandum to the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 states that 'reasonable steps in the circumstances' is an objective assessment, but that 'objectively reasonable steps' depend on the 'specific circumstances of each case.' 102 It is dependent on the relevant risks within an entity and their particular devices. 103For example, it would be unreasonable to implement high cybersecurity protocols in a device that has low privacy risks where the costs of taking such steps are high. 104This reflects the underlying reasoning of PBR as the regulated entity is best placed to identify its own risks in its internal environment, and has delegated authority to implement cybersecurity protocols proportionate in cost to these conceived risks. 105e Joint Investigation of Ashley Madison in 2016 highlights that cybersecurity governance frameworks are assessed with consideration of possible risks faced in the circumstance, and security measures in view of the amount of sensitive personal information held. 106Failure to take reasonable steps may also include having a lack of basic security measures in place which could reasonably have been implemented, such as encryption of passwords. 107Further, the hack of the Sony PlayStation Network in 2011 emphasises that if appropriate security safeguards are in place, an entity may still comply with its data security obligations under APP 11.1 despite a security breach occurring. 108'Misuse, Interference and Loss' and 'Unauthorised Access, Modification or Disclosure' A 'misuse' occurs where personal information is used for a purpose not permitted by the Privacy Act. 109'Interference' with personal information arises where the integrity and security of the personal information is compromised, but does not necessarily require modification of its content. 110This would have application where smart home devices are hijacked but the hacker does not change the basic functionality of the device. 111The same scenario could also be applied to establish an 'unauthorised access'. 112A 'loss' is established in this context where there is either a physical or electronic loss of personal information. 113Destroy or De-Identify Information Under APP 11.2, where personal information is no longer needed by the entity 'for any purpose for which the information may be used or disclosed' the entity must take reasonable steps to 'destroy the information or to ensure that the information is de-identified.' 114 De-identification requires removal of personal identifiers and removing or altering information which may allow an individual to be identified. 115The costs involved in this process are generally high, so entities may opt rather to destroy information through secure methods, but must avoid unauthorised disclosure during the destruction process. 116

C Mandatory Data Breach Notification Scheme
The Australian privacy model previously operated on a voluntary notification scheme, whereby there was no requirement under the Privacy Act to notify affected individuals or the Information Commissioner when a data security breach occurred. 117This voluntary notification scheme was criticised for underreporting instances of serious data breaches and for excessive delays in notification. 118The introduction of mandatory data breach notification scheme, which took effect from 22 February 2018, is the result of numerous recommendations by the Australian Law Reform Commission ('ALRC') and the OAIC to provide increased transparency to consumers. 119Mandatory Data Breach Notification ('DBN') emanates principally from California in the United States of America, 120 but has been adopted worldwide from Canada to the European Union and New Zealand. 121ngela Daly highlights the comparative regimes in the US, which operate in sectors as a 'patchwork of unharmonised data breach notification legislation', to that of the European Union, where, similar to Australia, data breach notification laws operate alongside existing comprehensive data protection laws. 122It is predicted that notification rates should double in Australia with the introduction of the new scheme for mandatory notification. 123e rationale of DBN in Australia is twofold.First, it is so individuals may personally take remedial steps if personal information is compromised, such as by changing passwords to mitigate the potential for identity theft. 124Second, it encourages entities to be proactive in taking steps to address data breaches and have readily available data breach response plans. 125DBN recognises that the absence of notification to individuals of data breaches which involve personal information 'does not align with the almost universal agreement from the Australian public that an organisation should inform them if their personal information is lost [or breached].' 126Australia's new mandatory DBN scheme is enacted under the Privacy Amendment (Notifiable Data Breaches) Act 2017. 127The amendments insert a new Part IIIC into the Privacy Act. 128This was done deliberately in an attempt to streamline the regulatory process. 129The DBN scheme places an obligation on entities subject to the Privacy Act to notify the OAIC and 'affected individuals' as soon as practicable when an entity has reasonable grounds to 'believe' that an 'eligible data breach' has occurred. 130An 'eligible data breach' occurs where there is a 'data breach', the 'data breach' is likely to result in 'serious harm' to one or more individuals from the perspective of a 'reasonable person', and an exception to the requirement for notification cannot be established. 131As the relevant entity ultimately determines whether or not an 'eligible data breach' occurs and mandatory notification is required, the DBN scheme is based on the PBR notion of delegated authority. 132It relies on entities acting responsibly through a detailed 'risk-based analysis' and maintaining regulatory conversation with the OAIC. 133 Data Breach A 'data breach' occurs under section 26WE(2) of the Privacy Act where there is 'unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information.' 134These terms are not defined in the current Privacy Act or new provisions, but are to be given their ordinary meanings. 135'Unauthorised access' has been described to occur where personal information is accessed by someone who is not permitted access to that information. 136This definition is generally intended for external interferences with an individual's personal information stored by an entity. 137he Data Breach Guide refers to unauthorised access as 'databases containing personal information being "hacked" into or otherwise illegally accessed by individuals outside of the agency or organisation.' 138The terms 'unauthorised disclosure' and 'loss' are generally intended for internal interferences with personal information, and may arise from inadvertence on the part of the entity. 139here the entity does not have reasonable grounds to believe an eligible data breach has occurred but 'suspects' one may have, the entity must, within thirty days of developing the suspicion, perform a 'reasonable and expeditious assessment' of the suspected breach under section 26WH. 140Wilful ignorance will not circumvent an entity's obligations or liability under the new provisions. 141 2 Serious Harm In order to balance individual and corporate interests, the compliance burden in DBN is reduced to eligible data breaches likely to cause 'serious harm'. 142The legislative intention for this requirement is to minimise the risk of 'notification fatigue' on the part of individuals and the administrative burden this may place on entities. 143'Serious harm' is not defined in the Privacy Act but is considered a high threshold. 144The Explanatory Memorandum to the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth) notes that serious harm may include 'serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation as well as other forms of serious harm'. 145'Serious harm' is measured from the perspective of a 'reasonable person in the entity's position' and what they would 'identify as a possible outcome of the data breach.' 146Section 26WG of the Privacy Act identifies a non-exhaustive list of matters relevant in assessing the likelihood of serious harm, including the kind and sensitivity of the information. 147In determining whether an unauthorised access or disclosure will cause serious harm, the phrase 'likely to occur' is interpreted as 134 Privacy Amendment (Notifiable Data Breaches) Bill 2017 (Cth) 5-7.
QUT Law Review -Vol 18, No 2 | 282 parties. 159Once an entity has complied with the obligation, the other entities are relieved of that same duty.

Existing Criticisms of Mandatory DBN: Enforcement and Compliance
The mandatory data breach notification model has been criticised for its focus on reputational sanctions as its principal regulatory mechanism and has been described as failing to adequately address the aftermath of a data breach in a practical manner. 160Greenleaf and Clarke have identified a nearuniversal failure internationally of compliance authorities, including the OAIC, in documenting and publishing statements of data breach complaints as a major contributing factor to issues of transparency in the enforcement and compliance process of such models. 161Though organisations are required under the scheme to publish of data breaches with respect to affected individuals and the OAIC, it has been argued this alone is insufficient to make details of data breaches available for public attention. 162Further supplementation of notification under the scheme has been advised in the form of publication on the OAIC website, as part of a permanent, browsable and searchable database, to allow recurrent aspects of breach notification to be identified by interested parties. 163Such a searchable data base is promoted as likely to exhibit more of a deterrent effect on organisations and more effectively induce improvement of data security measures than is currently observed in compliance activities of regulated parties. 164Without a public forum in which OAIC can publish statements by affected entities, the 'light touch regulation' envisioned by the PBR may be imbalanced given the lack of 'feedback loops' available to allow consumers to become aware of data breaches, encourage organisational compliance and complaints, and discourage data security breaches. 165 ANALYSIS OF LEGAL RESPONSES This part of the paper will analyse the legal responses identified in Part III and determine whether those responses are capable of sufficiently addressing cybersecurity concerns in the smart home.

A Does Data in a Smart Home Device Constitute 'Personal Information'?
In order for cybersecurity breaches to be regulated under APP 11 or the DBN scheme, the data collected by the relevant smart home device must constitute 'personal information' within the meaning of section 6(1). 166If the information is not capable of identifying or reasonably identifying an individual, it is outside the ambit of the Privacy Act. 167This question can only be answered on a case- by-case analysis.Clearly, the Google Home, which synthesises a user's web history and emails, and is further capable of integrating with third party applications, will constitute 'information … about an identified individual' within the meaning of section 6(1).Even if the information did not explicitly name the individual, 168 the context and sheer volume of information stored about the user would that individual 'reasonably identifiable'. 169Additionally, information relayed from a FitBit to the Google Home exposes the device to 'health information' within the meaning of 'sensitive information' under section 6(1). 170In contrast, the information collected on a smart lightbulb may only store preferences for remote-control lighting, which makes identifying or reasonably identifying an individual challenging.Thus, data stored by some smart home devices such as a smart lightbulb may not necessarily, alone, constitute 'personal information' under the Privacy Act.This is particularly so given the Federal Court's recent consideration of the definition and what constitutes information 'about' an individual for this purpose in Privacy Commissioner v Telstra Corporation Limited, 171 where, according to some commentators, the qualification may have been narrowed. 172e situation of a breached smart lightbulb may change regarding the interpretation of the kind of data involved, however, where a hacker infiltrates a smart bulb and patches through a 'current status' update. 173The individual would then be reasonably identifiable, as the presence of their physical location can be determined by the hacker.The situation changes again where a hacker uses a breached lightbulb to access other devices in the smart home network, where the other devices carry similar firmware with shared vulnerabilities to the smart bulb.The hacker would then theoretically be able to access a user's home control inputs and devices and commit further attack. 174rk Burdon highlights that while the ALRC's 2008 Report recommended a limited definition of 'personal information', it recognised the purpose of DBN in Australia, alike that in the EU, is more extensive in application than in mitigation of identity theft, the principal approach of the US. 175As such, Burdon argues that, to achieve this more comprehensive application, the Australian DBN approach must seek to incorporate rather than negate circumstances which are context-dependent. 176nder this approach, circumstances of breach constituting personal information triggering an obligation to notify may change when a device, which is interconnected with other devices in a smart home network, is breached.This may be so even where the obligation would not exist for breach of the device alone had it not been interconnected.the volume of information stored in the smart home network almost guarantees that the information constitutes personal information under section 6(1) as it is readily identifiable to an individual.Telstra has estimated that the average Australian household contains thirteen internet-connected devices. 177his figure is set to increase to over thirty devices by 2021. 178Given the rise of the smart home market in Australia, it is increasingly likely that the data stored in an individual smart device will either constitute 'personal information' alone, or, if not, it will fall within the definition as part of the smart network, due to the greater context provided by additional information from an increased number of devices. 179Do the Legal Responses Address Cybersecurity Threats to the Smart Home?
Compliance with APP 11 is ultimately delegated to the regulated entity to interpret and implement protocols in a smart home device. 180Assuming that smart home device data constitutes 'personal information' within the meaning of section 6(1), an entity may be liable for failure to take 'such steps as are reasonable in the circumstances' in relation to a cybersecurity breach of a device. 181e expansion of the smart home market has raised concerns that some manufacturers of smart home devices are prioritising profitability over product development at the expense of product safety in the commercial drive for an increased profit margin. 182A study which interviewed IoT designers and developers in Australia regarding their perspectives on the growth of the market identified that there are entities in Australia that focus purely on 'innovation' rather than 'privacy in the design of IoT devices.' 183 It was found that these entities aimed for 'quick innovation and pushing new products'; the legal framework 'a lagging indicator into what innovation offers.' 184 If this reasoning resulted in a market consensus or trend of implementing poor cybersecurity protocols in smart home devices at the design phase in favour of innovation, 185 and that device was breached by a hacker, 'reasonable steps' would be construed in relation to the steps, or lack of steps, the entity had taken to prevent the breach.The focus of the terminology in APP 11.1 is not on the design infrastructure of a breached device, but rather on analysing the security measures at the point of the breach. 186The use of the terms 'misuse, interference and loss' as well as 'unauthorised access, modification or disclosure' concentrate the analysis on reasonable steps taken at the point of breach, such as incorporating mutual authentication or secure communication. 187ile the OAIC may determine that an entity did not adequately secure personal information, such as in failing to encrypt data as it is transmitted and transferred to other smart home devices, this does not materially prevent the breach of the device from occurring in the first place.The effectiveness of APP QUT Law Review -Vol 18, No 2 | 286 notification obligations has been calculated to be a much higher amount overseas. 196Under PBR reasoning, the obligation of mandatory notification incentivises entities to further invest in data security measures in their devices.This is to prevent cybersecurity breaches from occurring and the need for notification ever arising, as this could cause significant reputational damage on top of the surface and hidden costs that would result from a notifiable breach. 197The PBR reasoning underpinning DBN does not always align smoothly in the context of smart home devices as establishing the requirement for notification is not always clear.
By focusing on 'data' breaches, an entity may comply with the 'letter of the law' in not reporting 'data' breaches even if a smart home device has been hacked.Two concepts can be distinguished: a hack of a device and a hack of data.A clear hack of data, such as widespread ransomware or physical attack on numerous smart homes, would likely trigger the obligations of the scheme.On the contrary, a hack of a single smart home device is not strictly notifiable as it may not fulfil the requirements of an 'eligible data breach'. 198While the first limb in establishing a data breach is likely fulfilled given that 'unauthorised access' is interpreted liberally, proving 'serious harm' is considered a high threshold. 199 hacker may obtain 'unauthorised access' to a smart device, but where they do not modify the content of the device and merely observe the use of information by the inhabitants, it may be difficult to establish 'serious harm'.This sort of breach would have to be established as either 'psychological', 'emotional' or, a more probable than not threat of 'physical' harm to the affected individuals. 200ere a hacker obtains unauthorised access to surveillance cameras, 'serious harm' may be established as the private nature of the home and the reasonable expectation of privacy within it is compromised, and the inhabitants are at greater risk of serious physical or psychological harm. 201Thus, whether breaches of smart home devices that do not necessarily modify 'data' will be notifiable is inherently contextual.The content has to be 'defined by individuals themselves according to context' and not delegated upon an entity to determine from the standard of a 'reasonable person in the entity's position'. 202The entity may obfuscate its obligation under the DBN scheme in these situations by either remedially acting to shut down the hacker, or avoiding notification to comply strictly with the letter of 'serious harm', but not the spirit of the term. 203Depending on the method used to infiltrate a smart home or a particular device, these situations would allow hackers who breach smart home devices for stalking purposes to continue without the risk of being compromised.Neither of these situations result in the potentially affected individuals from being able to take remedial steps to protect themselves or increase transparency.This is counter to the intention and purpose of the scheme. 204rther, there are issues with quantifying an 'eligible data breach'.The use of the words 'one or more individuals' implies that an 'eligible data breach' may apply to a small household which establishes a smart home network. 205At the same time, the provisions also militate against the risk of 'notification fatigue' from entities and the corresponding lack of utility for individuals in constant notification. 206his would suggest the scale of the breach and number of individuals affected remains the primary indicator of whether the eligible data breach is notifiable in the circumstances.Paradoxically, the increase in the scale of a data breach may decrease or diminish the chance of 'serious harm' to each particular individual, 207 and thereby fail the requirement for notification on the second limb of the criterion.Hence, 'eligible data breach' potentially may be inapplicable to both breaches of small smart home networks and large-scale breaches, such as of cloud service providers in the smart home. 208

(b) 'Jointly and Simultaneously' Held Information
The concept of jointly-held information may have application to interconnected devices in the smart home and the requirement for notification provided the devices 'hold' personal information within its meaning under section 6(1). 209The application of 'jointly-held information' will inevitably depend on the individual devices in a smart home network and whether the data transfer between these devices constitute outsourcing, joint ventures, shared service arrangements or potentially an 'online platform'. 210The concept may apply where data is held jointly and simultaneously on a smart home network and a hacker uses a single smart home device to breach the entire network. 211'Man-in-the middle' attacks could also trigger notification requirements in these scenarios. 212For example, 'a data breach involving an individual's name may [increase the risk of serious harm] if the entity's name links the individual with a particular form of physical or mental health care.' 213 The interconnected nature of smart home data places tensions on the conceptions of 'serious harm' and 'personal information', as when information is combined and concurrently accessible through various smart home devices through 'communication' via protocols, the sensitivity of the information increases the risk of 'serious harm'.

C Are Smart Home Devices Conceptually and Practically Compatible with Australia's Existing
Legal Framework?
The DBN scheme attempts a balancing act between individual and corporate interests. 214The scheme asserts that individuals have a 'right to know' about unauthorised access to devices storing their information to facilitate mitigation of identity theft and other kinds of access likely to give rise to 'serious harm'.It is designed to protect those adversely affected by security breaches, 215 by letting 'individuals know that their data has slipped into unauthorised hands.' 216 The auxiliary aim is for mandatory DBN to act as a public information disclosure mechanism which improves organisational security control by encouraging sound informational and cybersecurity management as an organisational priority.The regulatory tool is framed with the consequence of reputational sanction. 217UT Law Review -Vol 18, No 2 | 288 In applying these aims, the contextual environment and its 'social application' is crucial. 218Consumers of smart home devices have a reasonable expectation of end-to-end secure connectivity. 219In a smart home network, a hacker may infiltrate a home automation system and manipulate appliances to cause physical and emotional attack.As more devices are connected to a smart home network, the accumulation of risks increases, and the interconnectivity between these devices is capable of causing problems such as uncoordinated administrators and differences in administrator preferences. 220nformation stored on these devices is also potentially accessible to an unlimited number of devices. 221his raises tensions as to whether the consumer expectation that a single smart home device will not 'create a backdoor to other devices in their home' remains achievable. 222CONCLUSION Since the enactment of mandatory DBN in February 2018, there have been 550 notifications reported as at the June to September 2018 Quarter. 223Of this total, 57 per cent were from malicious or criminal attacks, with the largest sources subject to notification being health service providers and the finance sector. 224To date, there have been no specific reported instances of notification in relation to smart home devices and as such security standards are yet to be enforced by the Commissioner.
It still remains to be seen how the DBN scheme and the introduction of the concept of 'jointly-held' information will be applied to breaches of smart home devices in Australia.Entities may no longer conceal cybersecurity breaches that have compromised their networks where an eligible data breach can be established and no relevant exceptions apply. 225In this regard, mandatory DBN may provide greater potential relief to affected consumers of smart home devices by creating a trend of increased transparency.Despite early criticisms of its practicality and enforceability, the scheme is therefore a welcome contribution to Australia's data breach notification regime. 226The benefits would be increasingly realised if, as recommended by various commentators, the OAIC were to implement a searchable public database recording notifiable data breaches to encourage organisational compliance to the scheme. 227ndatory DBN attempts to advance overarching objectives of deterrence, mitigation, transparency through information and public confidence. 228There are clear advantages and disadvantages of the merging of the DBN scheme with the current legal and regulatory privacy framework, and these are brought to the forefront in the context of smart home device breaches.The merge highlights 'vertical tensions' and 'shared horizontal weaknesses' between the current privacy law framework and the introduction of the DBN scheme. 229Vertically, there are inconsistencies in application of the DBN scheme, as an increase in the number of affected individuals may decrease the risk of 'serious harm' to each individual.The risk of 'serious harm' increases, however, in situations where information is 'jointly-held' and each individual is deemed to be more at risk.Horizontally, the adherence to PBR and 'light touch regulation' allows entities subject to the Privacy Act to dictate the terms in which smart home devices are designed and administered potentially without regard to cybersecurity protocols.While mandatory data breach notification may help to foster organisation culture and corporate social responsibility centred around privacy and 230 it may simultaneously encourage increased risk-taking, poor design level security protocols and 'creative compliance'. 231e extent to which the DBN scheme may apply to smart home device breaches is uncertain, but it is also unlikely to have much, if any, impact for breaches of small smart home networks.This is because the introduction of the scheme, whilst enforcing notification for serious breaches of some devices, may not prevent individual data breaches for other devices in a smart home network from becoming notifiable.There are issues with the conceptualisation of the definition of 'personal information' under the Privacy Act. 232The data collected by a smart home device, in its retention of personal preferences for automation of certain functions of the home, does not neatly fit under 'personal information' or 'sensitive information' within the meaning of section 6(1). 233The focus of the DBN scheme on 'data' may also allow an entity to obfuscate its obligations of mandatory notification by complying with the 'letter' of the scheme rather than its spirit.The most viable use for the scheme in relation to the smart home is its application to the concept of 'jointly-held information', which lacks historical legal basis.The interconnectivity of devices highlights unchartered territory in cybersecurity and an attempt to achieve legal certainty in an inherently uncertain area. 234Questions surrounding obligation and liability will inevitably arise as the concept of 'jointly-held information' gains traction and smart home devices become outdated and extend beyond their intended product life-cycle. 235is paper has argued that, while attempting to balance conflicting interests between individuals and entities, 236 the DBN scheme raises questions over the continuing viability of PBR in the wake of digital disruption.Gartner Consulting predicts that the smart home market is between five to ten years away from maturity. 237The global smart home market is projected to be worth around forty billion dollars by 2020. 238It is possible that a principle-based approach which allows overwhelming flexibility to the regulated entity is no longer feasible, as there may be no market-based solution to the issue of poor cybersecurity. 239A more prescriptive approach which specifies mandatory minimums and is less focused on ensuring flexibility for entities, or an approach which focuses on cybersecurity more generally rather than an emphasis on 'data', may be more tenable alternatives to traditional PBR in the rise of the smart home. 240 Kaman Tsoi and Mandy Milner, ''What Can I help You With?': Privacy and the Digital Assistant' (2016) 13(9) Privacy Law Bulletin 190.See generally the introduction of the DragonDictate released in 1997 and the release of the iPhone in 2007; See generally Sivaraman et al, above n 3. QUT Law Review -General Issue QUT Law Review -Vol 18, No 2 | 270