Take notice! You'll soon have to inform the Office of the Australian Information Commissioner (OAIC) and any potentially affected individuals of a relevant data breach.
There are risks and costs to a program of action, but they are far less than the long range cost of comfortable inaction — John F. Kennedy
The new mandatory data breach laws require organisations to promptly notify the Office of the Australian Information Commissioner (OAIC) and any potentially affected individuals of an "eligible data breach". This ensures that affected individuals can take remedial steps in the event that their personal information is compromised.
If you haven't already taken steps to ensure that your IT systems meet the new obligations, then you need to act now!
Sources for information on this blog are the OAIC website and also the Clayton Utz lawyers website.
If you believe that a data breach has occurred, you will need to provide notice as soon as practicable to the OAIC and affected individuals. According to the OAIC:
If an organisation only has reasonable grounds to suspect that an eligible data breach has occurred, the notification obligation will not arise, However, the organisation will be required by the new legislation to complete a "reasonable and expeditious" assessment into the relevant circumstances within 30 days.
There is quite a legal aspect to all this and I can see the lawyers having a field day with this new legislation. It's much better to take action and have systems in place to prevent a data breach in the first place.
Notification will not need to be given if the organisation takes remedial action before any serious harm is caused by the breach.
Importantly, the ability of an organisation to detect a data breach at the first available opportunity and take action in respect of it will be a function of the organisation's preparedness for such an occurrence. If you don't have IT systems in place that can detect a breach, then you need to act now.
A failure to comply with the notification obligations will fall under the Privacy Act's existing enforcement and civil penalty framework. Accordingly, organisations may be subject to anything from investigations to, in the case of serious or repeated non-compliance, substantial civil penalties. These fines can be up to $2,100,000.
You must prepare for the new mandatory data breach notification laws. A suggested course of action is:
In order to be properly prepared, you will need to have in place detailed policies and procedures which outline the steps to take in response to a serious data breach. It doesn't matter whether a breach has occurred as a result of inadvertence on the part of the organisation and its employees (e.g. as a result of personal information being lost) or following a co-ordinated attack by hackers.For further information refer here: https://www.oaic.gov.au/engage...