Australia’s mandatory data breach notification scheme has officially come into effect as the federal government looks to further ramp up its focus on cyber security.
The data breach notification scheme, which requires by law all Australian government agencies and any company governed by the Australian Privacy Principles to notify individuals if a breach takes place, came into effect on Thursday.
All Australian government agencies, any organisation or company with annual turnover of $3 million and more, credit reporting bodies, health service providers and TFN recipients are included in the scheme. They are now required to notify impacted individuals within 30 days of a data breach taking place that is likely to cause “serious harm”.
Businesses are also required to notify the Office of the Australian Information Commissioner of the details of the breach. Failure to comply with the new scheme can result in a fine of up to $2.1 million.
It comes as the federal government is set to announce a major new public awareness campaign on cyber security issues.
“Just like so many other successful public awareness campaigns, we must bring the reality of the threat to every person in Australia,” Cyber Security Minister Angus Taylor said.
“The risk and costs are too great if we fail. Words like malware, denial of service attack or phishing don’t mean very much to the average Australian.
“But the consequence of those three terms do – you can lose your entire business overnight,” he said. “We must get better at communicating this to the general public.”
Mr Taylor, who will address the National Press Club on cyber issues Thursday, has also flagged a different approach to government investment in cyber security.
“We want to change our investment so that [local cyber businesses] can get contracts and we want to give you the assistance you need to export your ideas successfully. The future is bright,” Mr Taylor said.
He said that with the new data breach notification scheme, not knowing how to protect data is no longer an excuse.
“There is a lot of information now available on cyber security. The onus is with business operators, with organisations and with government agencies, to put measures in place to reduce the risk of data breaches,” Mr Taylor said.
Attorney-General Christian Porter said the regime was “setting new standards of accountability and transparency to protect individuals’ personal information”.
“This means that Australians will know if their personal information has been breached and will be empowered to protect themselves, by being able to act quickly to minimise damage,” Mr Porter said.
Australian Information Commissioner Timothy Pilgrim, who announced his upcoming retirement earlier this week, said the scheme would hold Australian companies to account.
“The Notifiable Data Breaches scheme formalises a long-standing community expectation to be told when a data breach that is likely to cause serious harm occurs,” Mr Pilgrim said.
“The practical benefit of the scheme is that it gives individuals the chance to reduce their risk of harm, such as be re-securing compromised online accounts,” he said.
“The scheme also has a broader beneficial impact – it reinforces organisation’s accountability for personal information protection and encourages a higher standard of personal information security across the public and private sectors.
“By reinforcing accountability for personal information protection, the NDB scheme supports greater consumer and community trust in data management.
“This trust is key to realising the potential of data to benefit the community.”
To coincide with the regime coming into effect, the Office of the Australian Information Commissioner released a series of guides and information for companies and individuals, outlining the scheme and how it would be implemented.
Under the scheme, an eligible breach is defined as “unauthorised access to or disclosure of personal information, or loss of personal information that is likely to result in serious harm to one or more individuals and the entity has not been able to prevent the likely risk of serious harm with remedial action”.
The laws do not define “serious harm”, but do say that it can be related to serious physical, psychological, emotional, financial or reputational harm.
If it has been a victim of a data breach, an eligible Australian company has up to 30 days to conduct an assessment of the severity of the breach and whether a notification is needed.
“We expect agencies and organisations to take action to reduce the chance that individuals experience harm if a data breach occurs,” the OAIC guide said.
“If this action is successful, and the data breach is not likely to result in serious harm, notification is generally not required under the NBD scheme,” i said.
All eligible entities are now expected to have developed a data breach response plan, outlining the roles and responsibilities if a breach occurs and a strategy for containing it.