Data breach notification laws are expected to be introduced into parliament this week in what may be considered a surprise move by the Federal Government. Although it was a specific recommendation of the Australian Law Reform Commission (ALRC) in its report, For Your Information: Australian Privacy Law and Practice, it was thought that the government wasn't going to introduce specific data breach notification laws for some time.
The proposed laws, to commence on 12 March 2014, require notification of serious data breaches that will result in a real risk of serious harm. This commencement date coincides with a number of other privacy reforms that will come into force at that time.
The Privacy Commissioner, Mr Timothy Pilgrim, has welcomed the mandatory data breach notification laws saying "I have supported the introduction of mandatory data breach notification laws in Australia since they were first proposed by the ALRC in 2008. Currently there is no legal requirement in Australia for government agencies or private sector organisations to notify individuals when a data breach occurs, except in limited circumstances under eHealth laws".
Under current legislation, companies have no legal requirement to disclose that they have compromised customer personal data. On this point Mr Pilgrim said "I am concerned that we are only being notified of a small percentage of serious data breaches that are occurring. Many critical incidents may be going unreported and consumers may be unaware when their personal information could be compromised".
Since 2008, the Privacy Commissioner has provided the business community with data breach notification guidelines on what a business should do if a data breach occurs. Over the last couple of years there have been a number of high profile data breach cases both in Australia and overseas that have caused great concern.
In commenting on these reforms the Federal Attorney, General Mark Dreyfus, said the mandatory data breach notification laws "will be a very useful measure" and that it "is a piece of legislation that will be welcomed by the whole community".
Until the reforms are introduced into parliament we are not sure what they will entail, however, it is likely that:
- organisations and businesses will be required to immediately notify the Privacy Commissioner, affected consumers and the media when serious data breaches from their organisation has occurred;
- organisations will be made liable for data breaches affecting outsource providers that do not take reasonable steps to secure their data;
- repeat and serious offenders will face fines ranging from the hundreds of thousands of dollars to the millions for organisations; and
- small-scale offenders could be taken to court and fined up to $34,000 for individuals, and $170,000 for organisations.