What Your Company Needs To Know About The New Data Breach Scheme

1 year ago | by C3 Group

Read time: 4 minutes

The Privacy Amendment (Notifiable Data Breaches) Act 2017 will come into effect in just two weeks.

As of February 22, 2018, all businesses with an annual turnover of at least $3 million, as well as smaller organisations who handle health data, will be required to notify the office of the Australian Information Commissioner, and any impacted clients, when a significant data breach occurs. Here’s what you need to know:


1. What businesses are affected by this?

  • Australia government agencies,
  • Businesses with an annual turnover of at least $3 million,
  • Any small organisations that handle health data,
  • Any for-profit, government, or not-for-profit organisations dealing with any of the following:
    • Credit reporting or building data
    • Personally identifiable information, or
    • Tax data.

2. How can businesses get prepared?

It’s important that companies of this size, or those dealing with sensitive information, speak with their legal team to ensure they’re adhering to the policies within this law.

We also recommend you get a better handle on the data your company actually needs to obtain from customers – you could be collecting unnecessary data, adding avoidable risk to your business. IT Providers can help you with this by performing an audit to determine the customer data your company currently collects.

After refining your data collection, you can ask your IT Provider about your options for additional security. This is imperative in ensuring your company has a superior cybersecurity policy, including solid and regular backups. Ask them specifically about added encryption, and a stronger password system like two factor authentication (2FA), or even a simple password vault.

Be sure you also get clarification on the data backup and recovery policy your company has in place. Understand where your backups are going, if that place is secure and within Australia, and ask for regular tests to be completed to ensure it’s working correctly.

3. Developing a solid compliance response plan:

Along with a firm timeline to act upon, there are three points of focus that need to be within your response plan:

  • Identifying and closing security holes (get your IT Provider to assist you with this),
  • Notifying government agencies and impacted individuals, and
  • Training staff to prevent another breach (if this was caused by human error, like sending emails with sensitive information to the wrong people, etc.).

Ensure that when you’re putting this plan into place, you include all third-party providers that have access to your data – clear communication to everyone involved in your data touch points in critical.

Here’s a checklist made available by the government to ensure you’re covering all applicable areas.

4. Get your staff on board:

In today’s age of mobile devices, bring your own device (BYOD) is quite common. We recommend implementing a security and privacy policy covering all devices brought in by staff and visitors, as these devices (particularly those owned by staff), are likely to house sensitive customer information. These people will benefit here from higher security on their devices, allowing them to work safely.

In addition to this, it’s important you train your staff on how to act when there’s a data breach. Just like a fire drill, getting your IT Provider to help you schedule drills with varying data breach scenarios will allow your staff to know how to react in the case that a breach occurs. This will refine your plan and give you peace-of-mind that your staff are knowledgeable and prepared.

Providing your staff with additional education surrounding cybercrime and threats at large is also important. If you’re partnered with an IT Provider, they can help you with this.

5. When do you actually have to notify customers?

According to the legislation, notifications are required when ‘a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals.’

In this situation, you must prepare a statement to give to the Australian Information Commissioner, and notify any affected individuals as soon as possible. The notification is required to include:

  • The information compromised,
  • The situation,
  • What clients should do immediately, and
  • Your contact details.

6. What happens if you fail to comply with the new legislation?

There are two types of penalties here. First are the legal penalties; if you fail to comply with these laws, consequences include a public investigation that could result in civil penalties of up to 10,000 penalty units – equating to $2.1 million.

The other penalty is that of public shaming. Depending on your company type, this could be quite the scandal in the media, or other companies may employ marketing tactics to sway the public in their favour: ‘Trust us with your data, we keep it protected – unlike XYZ.’


You can read more about this legislation on the Australian Government Website.

Here are some useful webinar slides regarding the legislation, and a response summary document that you can utilise in case of an incident.

If you’d like any clarification on the points above, feel free to contact us through the form below.

We can help your company get prepared for this legislation.

Need an IT Audit or expert advice?

Get in touch with our friendly team for some help.