What You Need to Know About Data Breach Notification Legislation

If your turnover is more than $3 million per year and you are governed by the Privacy Act or if you are a smaller business handling sensitive information then the new incoming Data Breach Notification Legislation will impact your business.  The bill now only needs royal assent, which is a formality and then it becomes law.

What is the new law?

The law means that businesses that have discovered they have been breached or have lost data will need to report the incident to the Privacy Commissioner as well as notifying affected customers as soon as they become aware of the breach.

The notification must include a description of the data breach, what kind of information it was and how customers should respond to the security incident.

What’s the impact of not reporting a breach?

Anyone not reporting a breach face fines of $360,000 for individuals and $1.8 million for businesses so it’s something everyone needs to take seriously.

What is classed as a data breach in the new law?

The law considers a breach to have occurred when data is accessed by an unauthorised entity, disclosure or loss of customer’s information held by a business and that generates a real risk of serious harm to individuals involved.

Data breaches are not limited to malicious actions, such as theft or hacking but could come from internal errors or process failures that cause accidental loss or disclosure.

What type of data and where comes under Data Breach Notification Legislation?

Anything from personal details, financial information, credit reporting information, tax file number information etc. held on any device including mobiles, usb keys, hard drives, company network or paper records.  The legislation has a very broad scope.

Here’s a few examples of where the legislation will apply –

  • A mobile device containing company information is lost and there’s no way of managing it remotely or ensuring that is hasn’t
    been accessed.
  • There is unauthorised access to a spreadsheet containing customer financial information.
  • A member of staff mistakenly emails the information of one individual to another individual.
  • A member of staff takes personal information of customers.
  • A contractor working on a database containing customer information takes a copy on their laptop and has their laptop stolen.
  • An IT staff member finds malicious software on a computer and discovers that confidential information has been held on that computer.

What harm could result from a breach?

  • Identity theft
  • Financial loss
  • Threat to physical safety
  • Threat to emotional wellbeing
  • Loss of business
  • Damage to reputation
  • Bullying
  • Loss of public trust
  • Reputational damage
  • Loss of assets
  • Financial exposure
  • Regulatory penalties
  • Extortion
  • Legal liability

What you need to do now

Before the legislation is introduced it is critically important that businesses already have a strategy in place so that there is no
last-minute panic and costs explode as well as strategies that have been rushed and poorly implemented.

We would recommend looking at the following components as a starting point –

  • Review your current data security strategy
  • Develop a cyber security strategy that just doesn’t involve IT
  • Educate your staff
  • Develop a data breach strategy

If you need any assistance with your cyber strategy or you don’t know where to start please call us on 1300 478 738 or email us at info@suretyit.com.au.

More Reading:

Tips to Prevent Data Breaches in Your Business

How to Report a Data Breach

How to Minimise the Impact of a Data Breach


Contact Us

This field is for validation purposes and should be left unchanged.

Find out how we can help with your IT challenges.

About the author:

Picture of Ash Klemm

Ash Klemm

Ash has over 20 years of experience in sales and marketing. His journey from a casual salesperson at Chandlers to State Manager at a national IT distribution company, while battling health issues, including a double lung transplant in 2015, gave him the experience, know-how, tenacity, and marketing insight, to find solutions and help businesses grow. After spending several years in the ivory tower of state management, Ash missed the genuine connection of face to face meetings and helping make a difference to businesses in need. His authentic, conversational, and easy-going nature helps our customers feel at ease and shows them we are a brand to trust. Ash spends his days advocating for our customers to ensure they receive the best possible service in a timely fashion. Ash is also the in house chair builder. His curiosity and natural problem-solving ability make him the perfect first call for all our new customers to help determine what is wrong, how Surety IT can help and what the best solutions are moving forward.
Scroll to Top