AUSTRALIA PASSES BREACH NOTIFICATION RULES

27 February 2017

After several years of deliberation, Australia is to introduce mandatory data breach reporting requirements.

On February 13, the Privacy Amendment (Notifiable Data Breaches) Bill 2016 was passed by the Australian Senate and House of Representatives. The Bill requires Royal Assent before it can be implemented, however, it is expected to apply within the next twelve months. 

Once implemented, the amendment will require government agencies and Australian companies with an annual turnover of over AUD 3 million to notify the Australian Information Commissioner of an eligible data breach. Consequently, companies will also be required to inform affected customers.

Under the Bill, an eligible data breach is defined as unauthorised access or disclosure of personal information – such as identifying information or credit card details – that would likely lead to “serious harm” to the individual about whom the information relates. It also applies to the loss of data, such as misplacing a hard drive or laptop containing a list of customer contact details. 

Failure to comply with the new privacy law can result in fines of up to AUD 1.8 million, while the notification of a breach could be seen as an admission of liability.

Wider trend

The privacy amendment will bring Australia more in line with consumer protection and privacy regimes in the US, as well as with the upcoming General Data Protection Regulation (GDPR) in Europe. As already seen in the US, mandatory notification requirements typically result in higher breach response costs, which in turn has helped drive demand for cyber insurance. 

Affected organisations should now start thinking about the potential financial impact of a data breach under the new law, as well as the appropriateness of their insurance cover. 

Cyber insurance is now widely available in the domestic Australian insurance market, although broader cover and greater capacity can be found in the London cyber insurance market. 

Given the potential for a larger quantum of loss under the new data protection laws, we would strongly advise Australian companies to take an international view when building their cyber insurance program.