Mandatory data breach notification laws to take effect by 23 February 2018
Updated: Jan 21, 2018
October 12, 2017 | Roger Glasson
After the 23rd February 2017 you will be required to inform the Office of the Australian Information Commissioner and any potentially affected individuals of an "eligible data breach". Importantly, shutting one's eyes will not allow entities to avoid the requirements of the Privacy Act.
Organisations and Federal agencies subject to the Privacy Act (APP Entities) should take steps now to ensure that their practices and procedures will enable them to meet the new obligations to which they will be subject under the amended legislation.
Various exemptions to the notification requirement will be included in the amended legislation.
Perhaps the most interesting exception is that a notification will not need to be given if the APP Entity takes remedial action before any serious harm is caused by the breach. CCS Dark Market Scanning services are designed to assist with early detection of data breaches to help mitigate damage to company and individuals. This exemption demonstrates the value of CCS early detection and action. Importantly, the ability of a company to detect a data breach at the first available opportunity and take action in respect of it will be a function of the organisation's preparedness for such an occurrence.
A failure to comply with the notification obligations will fall under the Privacy Act's existing enforcement and civil penalty framework. Accordingly, APP Entities may be subject to anything from investigations to, in the case of serious or repeated non-compliance, substantial civil penalties.