I have had a number of queries recently about data breaches and mandatory reporting. Currently, there is no law requiring that a company notify compromised parties if there has been a data breach involving their information (it may assist to mitigate loss and can be advised). However, a new law is coming into force which will require mandatory reporting in the event of a data breach.
We have previously written about the introduction of the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (The Bill). The Bill has now passed both houses of parliament, meaning that entities must provide mandatory notifications within 30 days of becoming aware that data breach has occurred.
The Act will apply to those entities covered by the Privacy Act, including those businesses with an annual turnover of 3 million dollars or more and those businesses which collect sensitive information and other specific personal information.
Be ready – the Act commences on the 22nd February 2018.