Strategic Group Blog

Everything you need to know about IT and technology

Written by Emily Gam
on February 26, 2018

Earlier this year the new Mandatory Data Breach Notification laws came into effect. This means that if there is a data breach in your business, you are required by law to notify your customers, failure to do so can result in fines up to $2.1 million.

So what do you need to know?

What is a data breach?

A data breach occurs when personal information (name, contact or banking details etc) is accessed or released without proper authorisation or lost and likely to be accessed or released without authorisation.

Examples of a data breach can include:

  • A device that holds customers information is lost or stolen
  • A database storing customer information is hacked or accessed without consent
  • Personal information is sent to the wrong person

When should you send a notification?

You need to send a data breach notification when the breach is likely to result in ‘serious harm’. Examples of serious harm include:

  • Financial loss through fraud
  • Identity theft
  • Risk of physical harm, such as by an abusive ex-partner
  • Psychological harm
  • Reputational harm

How to notify users?

You can notify affected parties either directly (email, phone) or indirectly (notification on your website). You must also notify the Office of the Australian Information Commissioner (OAIC).

You have a maximum of 30 days to notify the affected parties.

What should be included in the notification?

The following should be included in your notification:

  • The personal information involved in the breach
  • A description of the data breach
  • Your contact details
  • Recommendations for steps the affected parties can take to minimise harm

Example scenario

A staff member loses a USB containing clients’ personal information on their way to work. The USB had client’s names, tax file numbers, and financial information. The USB is not encrypted or password protected.

The staff member reports the loss to their manager. The organisation believes it is likely that the information on the USB would be used for identity theft, or to send malicious emails. The organisation notifies each of their clients with an email about the data breach and includes recommended steps to lower the risk of identity theft.

In this scenario the organisation has taken the correct steps to notify users of their potential breach and would not be liable for fines under the Mandatory Data Breach Notification law.

The 2017 Australian Community Attitudes to Privacy Survey found that 94 per cent of Australians believe they should be told if a business loses their personal information. Ninety-five per cent said they should be told if a government agency loses their personal information.



Let Us Know What You Thought about this Post.

Put your Comment Below.

You may also like:

News Security

Toll Group Hack - A reminder of cyber security impacts

Transport company Toll Group are continuing to try to get back to normal operations after a massive cyber-attack on the ...

News Tips

Changes coming to ATO and AUSkey procedures

If you’re using AUSkey to login to the ATO or other Government services, there are changes coming in 2020 that you need ...


The best tech gifts for Christmas 2019

The tinsel’s up, the fruit mince pies are out and Mariah Carey’s ‘All I Want For Christmas Is You’ has been blasting thr...