Corporate Australia to 'rethink' Cyber Security Policies with Serious Data Breaches Bill

February 12, 2016 By Nicole Chesterman

According to the Australian Attorney-General's Department website, a proposed Bill will require Government agencies and businesses subject to the Privacy Act 1988 (Privacy Act) to notify the national privacy regulator and affected individuals following a serious data breach.

The Bill is intended to improve the privacy of Australians without placing an unreasonable regulatory burden on business.1

The Bill will require notification to be sent to individuals whose personal information may have been exposed in a data breach. Unlike jurisdictions such as the US, under present Australian laws, the current Notification Rules are applied and considered on the particular circumstance of each breach.2

The new scheme applies to all companies that are currently subject to the Privacy Act. The Australian Privacy Principles (APPs), which are contained in schedule 1 of the Privacy Act, outline how most Australian and Norfolk Island Government agencies, all private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses (collectively called 'APP entities') must handle, use and manage personal information.3

What this means for Corporations in Australia

This means that most companies with an annual turnover of more than $3 million will be subject to the mandatory notification scheme associated with the proposed Bill. This will reduce compliance cost for small companies and target larger companies, who collect and use, personal private information for profit.

Under the proposed Bill, which is presently open for public comment before being introduced to Parliament in 2016, a company will need to provide notification if it is aware or has reasonable grounds to believe, it has suffered from a serious data breach. A serious breach is defined as one where there is 'risk of serious harm' to any of the individuals whose information has been the subject of the breach.

According to the Explanatory Memorandum of the draft Bill, 'risk of serious harm' is defined in this context as including physical, psychological, emotional, economic and financial harm, as well as harm to reputation. The risk of harm must be real, that is, not remote for it to give rise to a serious data breach. 4

Should the draft Bill be passed in its present form, companies will have approximately 12 months from enactment to implement mitigation strategies and data breach response procedures. This may include compliance practices, involving IT forensics, preparing notifications, public relations strategies and dealing with customer inquiries and complaints � all to be delivered within a 30 day response timeframe.

Solutions to Protect Against Loss

It has been suggested that companies should now also think seriously about deployment of a Cloud Access Security Broker solution, as the cost of a cyber attack (and the mandatory cost of notifications, policies and procedures under the proposed Bill), will be significant.

The Cost of Cyber-security Complacency

The cost of data breaches should never be underestimated. Computer Weekly reported that TalkTalk, a Communications service provider, lost 101,000 customers after last year's (October 2015) data breach, that saw the personal information of 155,000 people compromised in a major cyber attack on its website. According to Computer Business Review, the true quantum of the breach amounts to £60 million (or approx. US$87.5 million).

When the US introduced mandatory data breach notification laws, the number of reported data breaches jumped significantly. In 2015, Australia's Information Commissioner reported 110 notified breaches. Global trends suggest that cyber crime and the threat of data breach instances are on the rise.

The draft Bill calls for companies to take steps now to defend against cyber attacks and be prepared to respond appropriately if breached. It is open for public comment until March 04, 2016.

1. [ accessed 03/02/16)]
2. [ (last accessed 04/03/2016)]
3. [ (last accessed 03/02/16)]
4. [ (last accessed 03/02/16)]