The consequences for an Australian business victim for a breach of cyber security are forecast to exponentially increase. In February 2015 the Parliamentary Joint Committee on Intelligence and Security (Committee) recommended the introduction of mandatory data breach notification scheme (Scheme) by the end of 2015.[1] Whilst the details of the incoming Scheme are currently scant, it is understood that the enacting legislation will have bi-partisan support in federal parliament.
Mandatory data breach notifications requirements a la the Scheme are far from a recent development. They were first recommended by the Australian Law Reform Commission in 2008 and have been in place in the United States since 2003.
Lessons from the United States
Australian businesses have the benefit of approximately fifteen (15) years’ worth of practical guidance from the United States alone. In these fifteen (15) years it is estimated that 675 million data records have been reported as being compromised and 783 data breaches occurred last year alone.[2]
By and large the United States experience demonstrates the significant costs incidental to a data breach that may arise by virtue of mandatory notification schemes. Amongst these costs are the damages to reputation and public relations and the potential litigation commenced by notified parties.
Preparing for the change
Australian businesses should take heed of the United States experience and undertake a comprehensive review of their data breach policies. By ensuring that your policies for reacting to a data breach are airtight you can mitigate any damage that may arise from your obligations under the Scheme. The guidelines for dealing with data breaches released by the Office of the Australian Information Commissioner in 2012 provide a solid foundation (outlined by Dundas Lawyers here) for preparing a policy but you should seek professional advice to develop a policy more tailored to your individual business.
Links and further references
Office of the Australian Information Commissioner, A guide to securing personal information
Office of the Australian Information Commissioner, A guide to data breach preparation and response
Further information about data security
If you would like further advice on your obligations concerning data breaches please contact us for a confidential and obligation free discussion.
Malcolm Burrows B.Bus.,MBA.,LL.B.,LL.M.,MQLS.
Legal Practice Director
T: +61 7 3221 0013 (preferred)
M: +61 419 726 535
E: mburrows@dundaslawyers.com.au
Disclaimer
This article contains general commentary only. You should not rely on the commentary as legal advice. Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.
[1] Smith, P, Litigation, PR disasters and higher insurance costs expected from new data breach laws, (2015). Accessed at http://www.afr.com/technology/litigation-pr-disasters-and-higher-insurance-expected-from-new-data-breach-laws-20150805-gis75j accessed on 13 August 2015.
[2] Parliamentary Joint Committee on Intelligence and Security, Advisory report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, (2015) at p. 299.
Related insights about data security
-
The Australian Cyber Law Map – overview
The Australian Cyber Law Map provides clarity on ever-changing legal landscape, covering commercial enterprises, cyber offences, infrastructure, international law, national security and personal rights. A source for understanding laws and providing safety/security in the digital age.
-
Warning – Facebook trolls ordered to pay $150k damages
An online defamation case has resulted in two trolls being ordered to pay a hefty sum in damages. Learn more about the case and the potential consequences of making false claims online.
-
OAIC Notifiable Data Breaches report – July 2020
The OAIC’s Notifiable Data Breaches Report reveals 518 data breaches reported by eligible entities in the first half of 2020. Learn more about the types of personal information involved, the highest reporting sector, and the key takeaways from the report to protect your data.
-
Revisiting software as a service agreement
Discover the legal considerations of commercialising a SaaS (Software-as-a-Service) Agreement as a business model. Uncover the key issues to consider when going to market with a SaaS offering, such as subscription terms, service levels, data handling, intellectual property (IP) in customizations, and more.
-
Data breaches: what is serious harm?
This article looks at the notifiable data breaches scheme, and the factors to consider when determining if an eligible data breach would likely result in serious harm. It also provides an in-depth look at the Office of the Australian Information Commissioner observations in its ‘Notifiable Data Breaches Statistics Report’.
-
Abhorrent violent content prohibited
Organizations hosting abhorrent violent material, such as terrorism, murder, torture, rape and kidnapping, now face hefty fines under the Criminal Code Amendment Act 2019 (Cth), up to 50,000 penalty units or 10% of annual turnover.
