Cyber Insurance - Mandatory Data Breach Notification in Australia

March 07, 2017| Von Nicholas Murphy | Cyber Risk | English

Region: Australia

The long debate about mandatory notification of a data breach in Australia is now over.

On 13 February 2017 the Australian Federal Parliament passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016, which will next be converted to an Act of Parliament later this year. It is to become effective on 22 February 2018.

The new law will impose mandatory data breach notification provisions upon a wide range of businesses. If a data breach occurs, businesses will have to notify all affected individuals in addition to the Office of the Australian Information Commissioner (OAIC).

Currently, mandatory data breach provisions are in place but only for certain specialised activities, such as healthcare providers storing personal health records and financial services licensees storing personal financial records.

The new law will drastically change the breach reporting regime. It will have wide-ranging application, including all businesses and not-for-profit organisations that have an annual turnover of more than AUD $3 million. It will also apply to federal government agencies, but exclude state or local government agencies.

Fines and penalties will apply if an organisation does not comply. Fines of up to AUD $1.8 million can apply to businesses and up to AUD $360,000 for individuals.

All businesses subject to the new law would be well advised to institute and test breach notification procedures before the new law is enacted. Apart from the fines, the cost of breach notification without pre-set procedures in place could be very high and the reputational damage could be very costly.

Cyber insurance is an advisable back-up to a breach response plan. The Cyber insurance market in Australia is currently estimated at AUD $25 million to $35 million per annum. This is anticipated to grow rapidly over the next few years, as awareness increases and legislation such as this latest bill come in to effect.

Don’t hesitate to contact us with any questions about this new development and what it means for insurance companies in Australia, Asia Pacific and many other regions around the world.

For more information on this topic, here are three useful references:

1. Australian Law Reform Commission view on Data Breach Notification

2. Parliament of Australia - Privacy Amendment (Notifiable Data Breaches) Bill 2016

3. Office of the Australian Information Commissioner - Guide to mandatory data breach notification in the PCEHR system


Stay Up to Date. Subscribe Today.


Lernen Sie unsere Experten kennen

View Contributors