Data Breach Laws

By on December 7, 2017

Businesses should be preparing for Australia’s new Mandatory Data Breach Notification Laws.

High profile data breaches seem to hit the headlines on a very regular basis, especially in the US where mandatory notification has been in place for many years. Those laws will soon apply to Australian businesses who will be subject to data breach notification legislation that will require data breaches to be disclosed.

The Privacy Amendment (Notifiable Data Breaches) Bill 2017 has been passed by the Australian Federal Government, and will come into effect on 22 February 2018.

The bill will apply to all Australian government agencies, businesses, and not-for-profit organisations governed by the Privacy Act with an annual turnover of more than $3 million, with limited exceptions.

Once in force, organisations will be legally obliged to report any ‘eligible’ data breaches to the Australian Privacy and Information Commissioner, and notify any customers that may have been affected as soon as possible.

So what is a notifiable data breach?

A Notifiable Data Breach is a data breach that is likely to result in serious harm to any of the individuals to whom the information relates.

A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure.

Examples of a data breach include when:

  • a device containing customers’ personal information is lost or stolen
  • a database containing personal information is hacked
  • personal information is mistakenly provided to the wrong person.

What if I don’t comply?

As outlined in the bill, a failure to comply with the new notification scheme will be “deemed to be an interference with the privacy of an individual” and there are civil penalties for serious or repeated offences. There is a maximum penalty of $360,000 for individuals and $1,800,000 for corporate bodies.

What actions should I take now?

Organisations must now consider this a call to action that the Australian government is taking data breaches seriously.

Businesses should immediately begin to:

Identify where the data resides, especially if it is outsourced for processing by a third party.

Review internal data collection practices and policies, to ensure personal data is collected and stored only when necessary.

Perform a risk assessment across the whole business to identify weaknesses in cyber security practices.

Now is the time to act and take a serious look at how your business is managing and protecting personal customer information and whether all the necessary steps have been taken to mitigate a potential breach.

For more information go to:

About Gavin Moreira

Sponsored Ads