In February 2017, a Data Breach Notification law passed in the Australian Senate. This law will require businesses and government agencies to notify to the Privacy Commissioner and their Customers when they suffer a data breach.  This means that Australian organisations can no longer keep quiet about Cyber Security breaches.

With the introduction of The Privacy Amendment (Notifiable Data Breaches) Bill 2016, Australia will finally be brought into line with other countries globally.

Organisations affected by these changes?

This legislation will apply to any organisation that has a responsibility under the Privacy Act.  The organisations include:

• Businesses and Not-for-profit Organisations with an annual turnover of more than $3 million
• Most Australian Government agencies

The Privacy Act also applies to other businesses with an annual turnover of $3 million or less so, by extension, the Data Breach Notification laws will apply to them too.  These businesses include:

• Private sector health services providers (even alternative medicine practices, gyms and weight loss clinics fall under this category)
• Child care centres, private schools and private tertiary educational institutions
• Businesses that sell or purchase personal information along with credit reporting bodies

Individuals who handle personal information for a living, including those who handle credit reporting information, tax file numbers and health records will also be covered under the Data Breach Notification Bill.

For the full list of organisations that will be affected, please visit this page.

When does Data Breach Notification start?

At the time of reporting, there is no fixed start date, however it is being reported that these laws will come into effect in the second half of 2017 or early 2018.

What is a Data Breach?

A Data Breach is classified as an instance where there has been ‘unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals.

Alternatively, where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure.

An “eligible data breach” occurs when there is a likelihood that the individuals who are affected by the incident are at “risk of serious harm” because their information have been exposed.

The Australian Law Reform Commission elaborates more on what is considered “serious harm”.

What does Data Breach Notification mean for Businesses?

An organisation will be required to report any ‘eligible’ data breaches to the Australian Privacy and Information Commissioner, Timothy Pilgram.  Customers who have been affected also need to be advised as soon as possible.

Organisations will be required to identify the breach, including the type of information that was disclosed. Also, a recommendation needs to be provided to individuals about the steps they need to take to protect themselves.  These steps can include recommendations to change or update passwords to their affected accounts.

There will be no hiding as organisations will be required to publish notifications online when a data breach has occurred.

What does Data Breach Notification mean for Consumers?

Traditionally, consumers in Australia have very little knowledge of an incident occurring to an organisation that holds their personal information.  With no obligation to report a data breach, organisations handled incidents in-house and behind closed doors.

With the new legislation, affected businesses will need ensure all personal information is safe and secure.  If they don’t, customers will at least now be notified and given instructions as to how to further protect themselves.  In the case of a significant breach, there will be guidelines in place about receiving some remuneration for their loss, which up until now has been missing.

Consequences of failure to notify?

As detailed in the Bill, failure to comply with the new notification scheme will be ‘deemed to be an interference with the privacy of an individual’.

A failure to make a notification may require an organisation to make a formal apology and pay compensation to any affected individuals.

For serious or repeated interference of an individual’s privacy, the Privacy Commissioner can apply to the Federal Court or Federal Circuit Court of Australia to issue a civil penalty that attracts a maximum penalty of:

• $360,000 fine for Individuals
• $1,800,000 fine for Bodies Corporate (Organisations)

Key Recommendations

Organisations will need to ensure they have an adequate Data Breach Response Plan in place by the time the legislation changes are implemented.

Cyber Insurance will play a vital role in providing the business with cover for costs incurred when making a data breach notification.  It also extends to potentially cover any loss of goodwill or damaged reputation that may arise from an incident.

Australian organisations have traditionally taken a relaxed attitude when it comes to data protection and security.  With the introduction of new legislation, it is now more important than ever to ensure your organisation protects not only itself but also it’s customers.