Australian businesses now legally obliged to report data breaches or cop hefty fines

It took a while, but the 2016 Privacy Amendment Bill was finally passed into legislation last year after getting the royal say-so to become law, and its conditions will be enforced from today.

Effective immediately, the law requires that all Australian businesses, not-for-profit organisations and government agencies with an annual turnover of $3 million or more are to report any and all data breaches involving customers’ personal data. Failure to report any breach can result in massive fines of up to $2 million.

Businesses will have up to 30 days to report the breach, not only to the Office of the Australian Information Commissioner (OAIC), but to any affected individual if they are at risk of “serious harm”.

Information commissioner Timothy Pilgrim said in a statement that the Notifiable Data Breaches (NDB) scheme “[reinforces] accountability for personal information protection” and “supports greater consumer and community trust in data management”.

Coughing up

Failure to comply with the law will see companies fined up to $2.1 million, but it could also end up costing individuals a hefty penalty of up to $420,000.

While these fines may be little more than a dent in the accounts of large organisations, small business could be crippled if they need to cough up millions of dollars in penalties. 

The OAIC hopes that the potential to lose business could see companies, especially small businesses, comply with the law. "One of the biggest risks they have is losing the trust of their customers," Mr Pilgrim added.

Speaking up

Although businesses have 30 days to report any data breach, the time limit could be extended if the incident is being investigated by authorities and public knowledge could impede the process.

However, if the company is confident that the breach has been contained and customers are not at any risk, they could be exempt from reporting the incident.

And it’s not just Aussie businesses that are obliged to report breaches – any foreign company operating on Australian soil also come under the law. The OAIC can also work with overseas authorities to investigate international leaks.

"Two years ago, my office did a joint investigation with the Canadian commissioner's office in the Ashley Madison breach," Mr Pilgrim explained. "We found Ashley Madison in breach under both our laws."

While the NDB scheme may not be the most stringent law when compared to other countries', it is being viewed as a positive step forward in protecting Australians’ personal information.

[Image courtesy of Blogtrepreneur]

Sharmishta Sarkar
Managing Editor (APAC)

Sharmishta is TechRadar's APAC Managing Editor and loves all things photography, something she discovered while chasing monkeys in the wilds of India (she studied to be a primatologist but has since left monkey business behind). While she's happiest with a camera in her hand, she's also an avid reader and has become a passionate proponent of ereaders, having appeared on Singaporean radio to talk about the convenience of these underrated devices. When she's not testing camera kits or the latest in e-paper tablets, she's discovering the joys and foibles of smart home gizmos. She's also the Australian Managing Editor of Digital Camera World and, if that wasn't enough, she contributes to T3 and Tom's Guide, while also working on two of Future's photography print magazines Down Under.