Mandatory Data Breach Notifications

Mandatory Data Breach Notifications

The Government has released draft legislation that will introduce mandatory data breach notifications in 2016. The legislation aims to make it compulsory for organisations regulated by the Privacy Act, to notify regulators and affected individuals, if there are reasonable grounds to believe that a serious data breach had occurred. While the legislation details are awaiting industry discussion, we have some answers to frequently asked questions for your reference…

What constitutes a serious data breach?

A serious data breach is when there is unauthorised access of to, disclosure or loss of customer information held by an entity, which as result generates a real risk of serious harm. Such information includes personal details, credit reporting, credit eligibility, and tax file number information. A serious data breach can consequently be caused by a malicious hack, an internal administration error or a lost laptop/USB.


When is notification required?

An entity must notify “as soon as practicable” after it becomes aware or has reasonable grounds to believe a serious data breach has occurred. When an organisation suspects a serious data breach has occurred but is not certain, it will have 30 days to assess if notification is necessary.


What happens if there is a failure to notify?

The Privacy Commissioner will have the power to firstly order a business to comply with its mandatory notification obligations. A penalty structure could also be applied to more serious cases or for repeated non-compliance.


Does this apply to me?

The proposed legislation will apply to those organisations regulated by the Privacy Act, this essentially means businesses with a turnover of less than $3 million a year will be exempt. However, the exemption does not apply to some businesses, including health service providers, credit reporting bodies or those that trade in personal information.


For organisations that fall outside the scope of the proposed legislation, while they are not required to disclose breaches by law, it is still recommended to voluntary notify affected individuals as good privacy practice.


How can CRM Brokers help?

CRM Brokers can arrange an insurance policy that covers the cost of notifying clients as well as providing a 24/7 expert response service in the event of a data breach. Further information can be found at our Cyber Event Insurance webpage.


For a Cyber Event Quotation (turnover less than $10m), click here. This consists of just 10 risk questions and can be completed within 5 minutes.For a Cyber Event Quotation (turnover over $10m), click here.

Call 1300 880 494 to talk to a CRM Broker about prevention measures and our Cyber Event Insurance to ensure your business does not become a statistic.


Stay Informed – Connect with us on LinkedIn
Important Notice

This article provides information rather than financial product or other advice. The content of this article, including any information contained in it, has been prepared without taking into account your objectives, financial situation or needs. You should consider the appropriateness of the information, taking these matters into account, before you act on any information. In particular, you should review the product disclosure statement for any product that the information relates to it before acquiring the product.

Information is current as at the date the article is written as specified within it but is subject to change. CRM Brokers make no representation as to the accuracy or completeness of the information. Various third parties have contributed to the production of this content. All information is subject to copyright and may not be reproduced without the prior written consent of CRM Brokers.