Facebook, News of the World, Uber and who could forget the infamous Ashley Madison scandal are just a few of the data breaches in recent years that have cost billions of dollars and irreparable brand damage.
The reporting of data breaches for most organisations has not been an issue, but the increased activity of cyber criminals has led to the new requirements of mandatory reporting of data breaches. The protection of the information of your clients and staff is now a priority for your business.
Under new legislation which took effect on 22 February 2018 the mandatory requirements to report all breaches of data to the Office of the Australian Information Commissioner (OAIC) has commenced.
The new “notifiable data breach scheme” requires organisations to report a breach of data where such breach will cause serious harm to an individual. Although the term “serious harm” has not been defined, guidelines from the OAIC state that serious harm includes serious physical, psychological, emotional, financial or reputational harm. To assess the risk of such harm an organisation must now have regard to the likelihood of harm and the consequences of harm.
The notifiable obligations involve two steps:
If an organisation does not meet the requirements then the OAIC is able to investigate the organisation, make determinations and provide remedies for non‑compliance. The OAIC can require a public apology, order compensation payments and impose civil penalties. Penalties at present are $420,000 for an individual and $2.1M for companies.
These obligations are imposed upon companies with turnover in excess of $3M. However, prudence would indicate that all business should put in place necessary steps to minimise the likelihood of data breaches and the requirements to report same.
So what should organisations do to comply with the new data reporting regime? Madison Marcus suggest a 3 step approach:
Stephen Jenkins
Partner, Intellectual Property
stephen.jenkins@madisonmarcus.co
Madison Marcus Law Firm produced this article. It is intended to provide general information in summary form on legal topics, current at the time of first publication. The contents do not constitute legal advice and should not be relied upon as such. Formal legal advice should be sought in particular matters.