Madison Marcus | Data Breaches and Cyber Security - New laws take effect | Madison Marcus

Data Breaches and Cyber Security

In the wake of the Facebook data privacy scandal, data breaches and cyber security has been pushed to the forefront of business risk and compliance management.

Facebook, News of the World, Uber and who could forget the infamous Ashley Madison scandal are just a few of the data breaches in recent years that have cost billions of dollars and irreparable brand damage.

The reporting of data breaches for most organisations has not been an issue, but the increased activity of cyber criminals has led to the new requirements of mandatory reporting of data breaches. The protection of the information of your clients and staff is now a priority for your business.

Under new legislation which took effect on 22 February 2018 the mandatory requirements to report all breaches of data to the Office of the Australian Information Commissioner (OAIC) has commenced.

The new “notifiable data breach scheme” requires organisations to report a breach of data where such breach will cause serious harm to an individual. Although the term “serious harm” has not been defined, guidelines from the OAIC state that serious harm includes serious physical, psychological, emotional, financial or reputational harm. To assess the risk of such harm an organisation must now have regard to the likelihood of harm and the consequences of harm.

The notifiable obligations involve two steps:

  • 1. prepare a statement which contains certain required information; and
  • 2. provide the statement to OAIC and each individual in question.

If an organisation does not meet the requirements then the OAIC is able to investigate the organisation, make determinations and provide remedies for non‑compliance.  The OAIC can require a public apology, order compensation payments and impose civil penalties.  Penalties at present are $420,000 for an individual and $2.1M for companies.

These obligations are imposed upon companies with turnover in excess of $3M.  However, prudence would indicate that all business should put in place necessary steps to minimise the likelihood of data breaches and the requirements to report same.

So what  should organisations do to comply with the new data reporting regime?  Madison Marcus suggest a 3 step approach:

  • 1. Review all information security arrangements including data both in hard copy and soft copy form;
  • 2. Prepare a data breach response plan; and
  • 3. Instigate training for all staff both as to the risks of cyber security breaches and the information security arrangements and the management and reporting of data breaches to individuals and the OAIC.


If you require further information both as to the requirements under the new data reporting regime or wish to discuss the cyber security requirements of your business, then please contact Stephen Jenkins on:

Stephen Jenkins
Partner, Intellectual Property

Madison Marcus Law Firm produced this article. It is intended to provide general information in summary form on legal topics, current at the time of first publication. The contents do not constitute legal advice and should not be relied upon as such. Formal legal advice should be sought in particular matters.

Translate »