At some stage, you will be the victim of a data breach. The
consequence of a data breach could be that the personal information
of your clients is exploited. According to data collected by
Gemalto in its Breach Level Index (BLI), there were 974 data
breaches worldwide in the first half of 2016, up 15% from the
previous six months. Of those incidents. 29 affected more than one
million records. Perhaps what is most disturbing is that Australia
had five and half times the number of data breaches of China.
In response to these increasing threats government, business and
the not for profit sector are expected to take reasonable steps to
protect the personal information of customers. Government agencies
and businesses governed by the Privacy Act will soon be required to
notify any individuals affected by a data breach that it is likely
to result in serious harm. The Privacy Amendment (Notifiable Data Breaches) Act
2017 (Cth) passed the Senate on 13 February 2016 and
received assent on 22 February 2017. The effect of the changes are
that the Privacy Act 1988 (Cth) (Privacy Act) will now impose
mandatory data breach notification requirements on entities when
there has been an 'eligible data
Don't ignore this development as significant
penalties including fines of up to AUD$360,000 for individuals and
AUD$1.8 million for organisations can be imposed.
Do these changes apply to you?
If you are an APP entity ie you are bound to comply with the
Australian Privacy Principles, then mandatory reporting applies to
you. Entities include:
businesses with an annual turnover of more than $3 million
not-for-profit organisations with an annual turnover of more
than $3 million
private sector health services
private tertiary education institutions
businesses that sell or purchase personal information
individuals who handle personal information, including those
who handle credit reporting information, tax file numbers and
So what is an eligible data breach?
An eligible data breach happens if:
there is unauthorised access to,
unauthorised disclosure of, or loss
of, personal information held by an
the access, disclosure or loss is likely to
result in serious harm to any of the
individuals to whom the information
Who and what must you notify?
In the event of an eligible breach you must notify:
the Office of the Information Commissioner (the Commissioner);
the at-risk individual/s.
You will be obligated to set out:
your contact details;
the nature of the breach; and
steps you recommend to affected individuals take in
When must you notify?
An entity must give a notification if:
it has reasonable grounds to believe that an eligible data
breach has happened; or
it is directed to do so by the Commissioner.
Does the legislation go far enough? Does it go too far? I expect
there will be a compliance burden on a number of sectors but much
will depend on how the words 'likely' and 'serious
harm' are interpreted.
It will be interesting to see what steps are taken by the
government and regulators with respect to those most vulnerable in
our community including children, who may not be equipped to take
advantage of the warnings provided. One step at a time ......
The other burning question to me as an insurance lawyer is how
will the insurance market respond to these changes? Some cyber
policies presently offer cover for fines and penalties. When those
policies were written one would assume that the cover was
contemplated to be in relation to breaches reported to the
Commissioner of the Australian Privacy Principles. Typically, those
types of fines and penalties were small in monetary value. Over the
next two years the insurance industry will need to keep a close eye
on the enforcement of the amendment. Premiums for Cyber insurance
are likely to increase, but maybe the value clients demand from
these policies will increase too.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
It will soon be mandatory to notify the OAIC and any potentially affected individuals of an "eligible data breach".
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).