Privacy Amendment (Notifiable Data Breaches) Bill 2016 passed in parliament on 13th February 2017. This means an amendment to National Privacy Principles to include mandatory reporting of Cyber breaches.
Who does the law apply to?
Companies that are affected by the legislation includes all businesses and not-for-profit organisations with an annual turnover more than $3 million, smaller firms that handle sensitive information and most government agencies.
Individuals who handle personal information for a living, including those who handle credit reporting information, tax file numbers and health records are also included under the new data breach notification scheme.
When will the new law come into effect?
The new laws will come into effect within the next 12 months. Once the mandatory data breach notification scheme starts, your business will need to report any ‘eligible’ data breaches to the Australian Privacy and Information Commissioner, and notify customers who may have been affected as soon as possible.
What qualifies as an “Eligible Data Breach”?
According to the legislation, a data breach is an instance where there has been “unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals , or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure”.
It qualifies as an “eligible data breach” when there is a likelihood that the individuals who are affected by the incident are at “risk of serious harm” because their information have been exposed.
What are affected entities required to do?
As soon as practicable after the entity becomes aware of a breach, they must prepare a statement and give a copy of the statement to the Privacy Commissioner.
The statement will need to include:
- the identity and contact details of the entity; and
- a description of the eligible data breach; and
- the kind or kinds of information concerned; and
- recommendations about the steps that individuals should take e.g. change passwords, credit monitoring etc
What happens if you don’t comply?
If your organisation doesn’t comply with the new laws, you could face penalties including fines of up to $360,000 for individuals and $1.8 million for organisations.
How can your organisation prepare?
We recommend that organisations start preparing now – appoint a review committee to address the new law changes, run a full risk assessment and consider your insurance coverage to ensure your organisation is prepared when the law comes into effect. The financial implications (fines & penalties) will require a systematic change of attitude for many organisations, and conversations around cyber risks and data security need to be elevated to the boardroom level.
To find out more about the implications of the new laws, and how we can help call Emjay Insurance Brokers on (02) 9796 0400.