Data Breach Disclosure Legislation

April 26, 2016 2:00 pm

Australia’s long awaited mandatory data breach regime moves closer to reality.

The Attorney-General’s Department has released a draft of the Australian Government’s promised mandatory data breach notification bill. The Attorney-General’s Department recently sought comments on an exposure draft of the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 (Cth) (Exposure Bill).  The submission period has now closed and the Attorney-General’s Department has published a number of the non-confidential submissions on its website.

Many of the submissions raised similar issues, including:

  • Concerns about the scope or lack of definition of key terms in the Exposure Bill, such as ‘real risk’ and ‘serious harm’;
  • The possibility of ‘notification overload’ arising from too many data breach notifications being received by consumers;
  • The possibility that multiple notifications of the same data breach may be required, perhaps from the organisation that collected the personal information and also by the service provider whose service was the subject of the actual data breach;
  • The application of the Exposure Bill to undetected breaches that organisations ought reasonably to be aware of;
  • The timing of requirements to notify affected individuals of the occurrence of the data breach;
  • The need for the opportunity to consult with the Australian Information Commissioner in relation to the breach.

The Attorney-General’s Department is likely to take some time to consider the submissions and may recommend changes to the Exposure Bill before it is introduced to Federal Parliament. An early Federal election could affect the progress of a bill through the Federal Parliament. In the event that a bill is introduced into Parliament but does not pass through both houses prior to an election, the bill will lapse on the dissolution of Parliament. This was the fate of the previous Privacy Amendment (Privacy Alerts) Bill 2013 (Cth) under the former Labor government.

However, there is every indication that the introduction of a mandatory data breach notification regime has the support of the major political parties. It is still considered likely that a bill will be introduced to Parliament and passed during the course of this year, with the law to take effect in late 2017.

What does this mean to my organisation ?
Organisations should be proactive in this area and should start preparing for the introduction of mandatory data breach notification obligations as part of their overall cyber-risk management strategy.

To be able to effectively manage risk, as part of their cyber-risk management framework organisations will need to have an incident response plan detailing the steps to be taken if a breach occurs, including notification of the Privacy Commissioner, Card schemes and consumers. Many breaches arise from weaknesses in supplier and service provider systems.  It is therefore important to include supplier services in your cyber-risk management framework.

Vectra is able to provide Australian Privacy Act compliance assessments to review the level of compliance with the Australian Privacy Principles.  Our consultants can help organisations address and deficiencies, develop a cyber-risk management framework and an incident response plan.  Please contact us for further details on 1800 816 044.

Kelvin Heath
Chief Security Officer