New Privacy Amendment Bill receives Assent – Mandatory Data Breach Reporting: Is your organisation ready?

20 March 2017

Michael Cassidy , National Leader, Forensic Services |
Leon Fouche , National Leader, Cyber Security |

The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was passed on 13 February 2017 and received Royal Assent on the 22nd of February 2017. The amendments, which are enacted by this new legislation, are set out in Schedule 1 and will commence 12 months from the date of Assent.

The legislation defines an eligible data breach as a scenario where either there is unauthorised access to, disclosure or loss of information, where the access or disclosure would likely result in serious harm to any of the individuals to whom the information relates.

This legislation requires entities regulated under the Privacy Act 1998 to:

  • Mandatorily disclose any case where there are reasonable grounds to believe an eligible data breach has occurred. Businesses must advise the Office of the Australian Information Commissioner (OAIC) and contact all individuals whose data may have been compromised (individuals also have the right to query what information was leaked).
  • Organisations will only have 30 days to commence an investigation into any suspected data breach, commencing from the time they become aware of reasonable grounds for suspicion that an eligible data breach has occurred. (Failure to comply with this timeline constitutes an interference with the privacy of an individual and will result in severe penalties).

Organisations should ensure they have appropriate response plans they can readily apply in the event of an eligible data breach. In the absence of response plans, complying with the new legislative requirements will be very challenging and businesses may find themselves under attack from not only cyber criminals but also the OAIC. 

Worryingly, BDO and AusCert’s recent Cyber Security Survey highlighted that many organisations are not prepared for the impending mandatory disclosure requirements with:

  • 52% of respondents indicating that they did not a have cyber-incident response plan;
  • 59% indicating that they did not have a cyber-incident response team or the capability to respond to cyber-incidents; and
  • Only 49% of respondents indicating that they provide cyber risk reporting to the Board and executives.

Ultimately, senior executives are accountable for any data breach and in light of this new regime and the increased transparency requirements that come with it this accountability is only set to increase.

There is no doubt that cyber-attacks and data breaches will continue to increase in frequency, complexity and sophistication. Therefore, it is vital that organisations work to improve their overall cyber resilience by having a Cyber Incident Response Plan in place to respond to and report on cyber-attacks as quickly as possible.

This article been carefully prepared, but has been written in general terms and should be seen as broad guidance only. The article cannot be relied upon to cover specific situations and you should not act, or refrain from acting, upon the information contained therein without obtaining specific professional advice. Please contact the BDO member firms in Australia to discuss these matters in the context of your particular circumstances. BDO (Australia) Limited and each BDO member firm in Australia, their partners, employees and agents do not accept or assume any liability or duty of care for any loss arising from any action taken or not taken by anyone in reliance on the information in this publication or for any decision based on it.