Mandatory Breach Notification Laws

Speak To Us Today

Your First Consultation Free

Over the past two months we have written articles outlining the risk of cyber-breach to businesses. There can be significant direct and third-party costs as a result of a breach, along with the need to quickly access expert professional help after a breach. Along with this there is new legislation for mandatory breach reporting, which is the subject of this months article.

Mandatory Breach Notification Laws

Effective 22nd February 2018 organisations will be legally obliged to disclose data breaches, but how will these new laws impact your business?

Will my business have to comply with these laws? The law applies to organisations that have responsibilities under the Privacy Act, including

  • Australian Government agencies
  • Businesses and not-for-profit organisations with an annual turnover of more than $3 million.

The law will also apply to certain types of businesses with an annual turnover of less than $3,000,000 and are applicable to the following business segments

  • Private sector health services providers (including alternative medicine practices, gyms and weight loss clinics)
  • Child care centres, private schools and private tertiary educational institutions.
  • Businesses that sell or purchase personal information along with credit reporting bodies
  • Individuals who handle personal information for a living, including those who handle credit reporting information, tax file numbers and health records are also covered under the new data breach notification scheme.

What is a data breach?

A data breach is defined as an instance where –

  • there has been unauthorised access, or unauthorised disclosure of, personal information concerning one or more individuals
  • there is a likely risk of serious harm the affected individuals as a result of the unauthorised access or unauthorised disclosure.
  • information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure.

What is Compulsory Notification?

In the event of a data breach, an organisation has a duty of notification to the Office of the Australian Information Commissioner and the affected individuals of an eligible data breach “as soon as practicable after the entity is aware that there are reasonable grounds to believe that there has been an eligible data breach.”

Notification is considered compulsory unless notification impacts upon a law enforcement investigation or was determined by the regulator to be contrary to public interest.

What sort of Penalties may apply?

Under the new laws, where an organisation has committed “serious or repeated non-compliance with mandatory notification requirements”, they may face fines of up to $360,000 for individuals and $1.8 million for organisations.

A significant data breach to an organisation can be financially crippling, costs could range from business interruption, ransom payments, incident response, third party claims and legal costs, to customer notification expenses and data reconstitution.

SME Business Claims Example – Professional Services Firm

A company’s server and client records were locked by Ransomware software. The company was unable to have the files released unless they paid a ransom of $50,000 to the hackers.

In addition to the Ransom, the business suffered losses of $150,000 including income whilst the files were locked and the server was down, consultant’s costs to advise on the handling of the matter and negotiation of the ransom, and costs to restore the network, as the hackers refused to release the files despite the company complying with the Ransom request.

Fortunately the affected business had placed a Cyber Liability policy to respond to the attack.

So, even if your business falls outside the scope of the legislation, the potential costs and need to quickly access expert advice are reason enough to consider your options. If you want to find out more contact Nathan Corrigan at Insurance House, (02) 8913 9137 or



Authored by
Director Lawyer

Talk to a Lawyer Today

Speak to us Now on

or Request a Call Back.

We respond within 24 hours.
From Our Experience

Expert Insights That Matter to You

Get Help Today

Request a Call Back

Use the form to request a call back from one of our expert lawyers.

We respond within 24 hours.

Or Speak to us now on

Raea Khan Circle
Director Lawyer
Raea Khan

Raea is Managing Director and Principal Lawyer for PBl Law Group. Raea assists clients with major projects, property developments, construction and strata law.

He has worked in Western Australia and Queensland assisting with expansion projects in the energy and resource sector and now predominately advises clients in Strata and Community Association matters.

He is a member of the Australian College of Strata Lawyers where majority of his work is advising developers and owners corporations with dispute related minor and major defects, strata governance and common property litigation. He is proficient at leading negotiations and meetings.

Raea has a particular interest in the commercial aspect of any dispute and always tries to weigh up the risk, reward and benefit of legal proceedings at each different stage.

Raea enjoys all forms of competitive sport, including Crossfit and actively participates in Triathlons, representing Australia as an age group athlete. He was a member of Red Head Surf Lifesaving club.

  • Strata Law
  • Construction & Major Projects
  • Commercial and Business Law
  • Planning & Environment Law