Strategic Group Blog

Everything you need to know about IT and technology

Written by Emily Gam
on February 26, 2018

Earlier this year the new Mandatory Data Breach Notification laws came into effect. This means that if there is a data breach in your business, you are required by law to notify your customers, failure to do so can result in fines up to $2.1 million.

So what do you need to know?

What is a data breach?

A data breach occurs when personal information (name, contact or banking details etc) is accessed or released without proper authorisation or lost and likely to be accessed or released without authorisation.

Examples of a data breach can include:

  • A device that holds customers information is lost or stolen
  • A database storing customer information is hacked or accessed without consent
  • Personal information is sent to the wrong person

When should you send a notification?

You need to send a data breach notification when the breach is likely to result in ‘serious harm’. Examples of serious harm include:

  • Financial loss through fraud
  • Identity theft
  • Risk of physical harm, such as by an abusive ex-partner
  • Psychological harm
  • Reputational harm

How to notify users?

You can notify affected parties either directly (email, phone) or indirectly (notification on your website). You must also notify the Office of the Australian Information Commissioner (OAIC).

You have a maximum of 30 days to notify the affected parties.

What should be included in the notification?

The following should be included in your notification:

  • The personal information involved in the breach
  • A description of the data breach
  • Your contact details
  • Recommendations for steps the affected parties can take to minimise harm

Example scenario

A staff member loses a USB containing clients’ personal information on their way to work. The USB had client’s names, tax file numbers, and financial information. The USB is not encrypted or password protected.

The staff member reports the loss to their manager. The organisation believes it is likely that the information on the USB would be used for identity theft, or to send malicious emails. The organisation notifies each of their clients with an email about the data breach and includes recommended steps to lower the risk of identity theft.

In this scenario the organisation has taken the correct steps to notify users of their potential breach and would not be liable for fines under the Mandatory Data Breach Notification law.

The 2017 Australian Community Attitudes to Privacy Survey found that 94 per cent of Australians believe they should be told if a business loses their personal information. Ninety-five per cent said they should be told if a government agency loses their personal information.



Let Us Know What You Thought about this Post.

Put your Comment Below.

You may also like:

News Security

65% of Aus business impacted by security breaches in 2018

The latest Security Report from Telstra confirms what we’ve all been feeling, malicious emails are on the rise and ranso...


DTA looks to appoint CIO - why you should too

The Government’s Digital Transformation Agency (DTA) has begun its search for its inaugural Chief Information Officer (C...


What is 5G and when is it available in Australia?

This year seems to be the year of the mobile phone hype. We’ve already blogged about foldable phones and how they can be...