Create a free account, or log in

Companies will soon be required to notify customers and Privacy Commissioner of data breaches

Companies that are turning over more than $3 million a year will soon be obliged to report data breaches to both the Privacy Commissioner and their customers, after the government’s Notifiable Data Breaches Bill passed through the Senate yesterday. The bill, which was first promised by the Liberal Party at the end of 2015, travelled swiftly […]
Dominic Powell
Dominic Powell

Companies that are turning over more than $3 million a year will soon be obliged to report data breaches to both the Privacy Commissioner and their customers, after the government’s Notifiable Data Breaches Bill passed through the Senate yesterday.

The bill, which was first promised by the Liberal Party at the end of 2015, travelled swiftly through parliament last week.

The legislation will only apply to government agencies and companies with turnover exceeding $3 million per year, which covers companies that are governed by the Privacy Act. This equates to about 6% of Australian businesses, according to the legislation.

Read more: Menulog cops flak for not telling all customers about April data breach: How to win back trust

Companies falling within these parameters will now be required to notify both customers and the Privacy Commissioner about data breaches within 30 days of becoming aware of the issue.

Companies that fail to do so may face fines of up to $1.7 million, while individuals, such as directors or managers, could face fines of up to $340,000. The bill will come into effect at a yet unspecified date over the next 12 months.

The bill defines a data breach as “where there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals (the affected individuals), or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure”.

The legislation refers to “eligible data breaches” as grounds for compulsory notification, clarifying the term as for where a “reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure”.

Reports to the Privacy Commissioner must include the company’s details, a description of the breach, the information involved, and what steps affected individuals should now take.

Cyber security expert at Sense of Security Michael McKinnon believes this new legislation will “finally” solve many problems for companies affected by data breaches.

“This finally solves the dilemma with companies that get compromised of ‘should we tell anyone or not?” McKinnon told SmartCompany.

“The legal advice is always not to tell anyone, but marketing teams will always warn of the backlash if people find out.”

“It really means the stakes are a lot higher now, businesses will now have to take care and apply due diligence when it comes to storing customer data”.

Despite this, McKinnon says the legislation is “very complicated” thanks to the parameters that also cover government agencies.

“There are multiple sub-clauses and it’s very difficult to interpret. For example, the Bill suggests a breach is only when the released information would cause a real risk to someone, which is a bit of a wishy-washy term,” he says.

However, he acknowledges the legislation is the “first step”, and says companies should be aware responsibility now falls to them.

Breaches not just cyber crime

While many companies may assume breaches refer to malicious data attacks and information getting into the hands of cyber criminals, the bill defines a “breach” to be “not limited to malicious actions”.

The explanatory memorandum for the legislation defines a breach to include lost or stolen laptops or removable storage devices, paper records that have been misplaced or stolen, and even emails sent with sensitive data to the wrong person.

It also specifies hard disk drives and other storage media that are returned to lessors without the content first being erased.

The bill sets out remedial action clauses for situations like this, where devices that contain sensitive data have been lost, but action has been taken to remotely wipe the data before anyone could access it.

If companies are able to do this, then a data breaches does not have to be reported.

In light of these specifications, McKinnon advises businesses should implement remote data wiping methods for both laptops and phones.

For SMEs that do not fall under the jurisdiction of the Privacy Act, the Notifiable Breaches Bill is still good news, says McKinnon.

“For small business owners and consumers, now if our info is leaked or stolen we will be notified and have a chance to reset our passwords,” he says.

“This bill and its implications means directors and board members are aware of the significance of data breaches, and the need to have the right measures in place.”

Never miss a story: sign up to SmartCompany’s free daily newsletter and find our best stories on TwitterFacebook, LinkedIn and Instagram.