If you’re keeping tabs of the ever-evolving world of data breach notification laws, you can finally add Australia to the list. Organizations who experience a data breach affecting Australian citizens now have new reporting and notification requirements.
The new breach notification law in Australia amends the Privacy Act of 1988. Thus, the new law applies to organizations governed by the Privacy Act – companies with over $3 million AUD in revenue.
Updated Australian Notification Requirements
The requirements recently passed in Australia will mirror other breach notification laws in various jurisdictions. Here are the most notable updates:
- Notify affected Australian residents and the Australian Information Commissioner in the event of an eligible data breach
- Take all reasonable steps to ensure that an assessment of the incident is completed within 30 days of discovery
- If the assessment finds an eligible data breach has occurred, required parties must be notified as soon as practicable
- If the notification to the affected parties is not practicable, the updated amendment allows for substitute notice
In the unfortunate event that an organization determines a breach occurred, the notification even has certain content requirements:
- Identity and contact details of the breached organization
- Description of the serious data breach
- Kinds of information possibly breached
- Recommendations about steps individuals should take in response to the breach
Notifications can be sent through the normal method of communication with affected individuals.
Failure to properly notify the required parties can lead to heavy fines and consequences for organizations. The highest penalty is set for $1.8 million AUD for noncompliant organizations.
It’s important to consult with counsel and review the definitions in the law to determine if an eligible data breach has occurred affecting personal information. However, in the accompanying several examples of notifiable data breaches were given:
- A malicious breach of the secure storage or handling of information – i.e. cybersecurity incident with compromised data
- Accidental loss – i.e. theft of IT equipment, laptops, or hard copy documents
- Negligent or improper disclosure of information
The effective date for the new law has not yet been set.