Mandatory Disclosure: key takeaways from the Privacy Amendment (Notifiable Data Breaches) Act 2017

Yesterday the Australian Parliament enacted the long awaited Privacy Amendment (Notifiable Data Breaches) Bill 2016. The key message is that the clock is ticking, with the legislation coming into effect from 22 February 2018.

Key Takeaways:

• Any government agency covered by the Privacy Act, and any Australian company with an annual turnover greater than $3 million will be required to notify affected customers and the Privacy Commissioner within thirty days of any breach or data loss.
• You’ll need to disclose what information was involved. This could include personal details, credit card information, credit eligibility information, and tax file numbers.
• You’ll also need to advise how customers should respond.
• Penalties for non-disclosure range from $360,000 for individuals to $1.8 million for organisations.
• According to the legislation, a reportable breach is one that generates a real risk of serious harm to the individuals involved.
• The legislation will be coming into effect from 22 February 2018.

What does it mean for you?

• Lawyers will argue for decades over what constitutes a real risk of serious harm to customers or other third parties.
• Lawyers will also argue long and hard about whether or not an organisation has done enough to avoid a breach being reportable. Is it enough to ask the recipient of a mistakenly sent email to delete its contents? Can I argue the cabbie probably hasn’t broken into the laptop I left on his back seat? Really?

What must I do now?

Eliminate uncertainty. At the end of the day nobody knows exactly how high the compliance bar will be, and when it will come into effect. But to cover your bases and minimise the risk of incurring significant fines, every business within the scope of the legislation should immediately do three things:

• Make sure your systems and your people can quickly detect a breach as soon as possible after it happens;
• Have robust, comprehensive and quick-acting incident response protocols in place to ensure you can shut down the breach immediately; and
• Ensure your archiving and analysis capabilities are best of breed, so you can quickly and accurately understand how much and what type of data was lost.

InfoTrust can help get your house in order – contact us today.

At InfoTrust our experts are already combing the detail of the legislation to understand exactly how to be ready for the commencement of the new regime.