Mandatory Data Breach Notification Laws

This time next year all Australian government agencies, private sector businesses and not-for-profit organisations will be required to notify the Office of the Australian Information Commissioner as well as the affected individuals when a data breach occurs.

What is a notifiable breach?
This amendment to the Privacy Act 1988 defines a notifiable data breach as one “where a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure of” personal information.

Serious harm in the context of the amendment could include any threat to physical, psychological, emotional, economic and financial welfare, and also to reputation.

Personal information includes, but is not limited to, tax file numbers, credit card information, phone numbers, addresses and passwords or PINs.

What is the potential cost of a data breach?
The actual cost of a data breach includes the actual notification process, legal advisors, crisis communications and credit monitoring which some estimate to be in a range of $200 – $400 per record – but rarely is just one record compromised – it is more likely that thousands of records will be compromised from any one event. However, the cost of NOT reporting a breach could be equally (or more) financially damaging with severe financial penalties for non-compliance.

How to protect your organization?
This is a new world with the risks of cyber-attack growing exponentially. Marsh Australia, in their latest Client Alert, recommends organisations set up a dedicated data breach committee and consider taking up Cyber insurance cover.

Photo credit: