Mandatory Reporting – Cyber Breach

Date: March 14, 2017



At some stage, you will be the victim of a data breach.  The consequence of a data breach could be that the personal information of your clients is exploited.  According to data collected by Gemalto in its Breach Level Index (BLI), there were 974 data breaches worldwide in the first half of 2016, up 15% from the previous six months. Of those incidents. 29 affected more than one million records.  Perhaps what is most disturbing is that Australia had five and half times the number of data breaches of China.

In response to these increasing threats government, business and the not for profit sector are expected to take reasonable steps to protect the personal information of customers.  Government agencies and businesses governed by the Privacy Act will soon be required to notify any individuals affected by a data breach that it is likely to result in serious harm. The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) passed the Senate on 13 February 2016 and received assent on 22 February 2017. The effect of the changes are that the Privacy Act 1988 (Cth) (Privacy Act) will now impose mandatory data breach notification requirements on entities when there has been an ‘eligible data breach’.

Don’t ignore this development as significant penalties including fines of up to AUD$360,000 for individuals and AUD$1.8 million for organisations can be imposed.

Do these changes apply to you?

If you are an APP entity ie you are bound to comply with the Australian Privacy Principles, then mandatory reporting applies to you. Entities include:

So what is an eligible data breach?

An eligible data breach happens if:

Who and what must you notify?

In the event of an eligible breach you must notify:

You will be obligated to set out:

When must you notify?

An entity must give a notification if:

Author’s Comment

Does the legislation go far enough?  Does it go too far?  I expect there will be a compliance burden on a number of sectors but much will depend on how the words ‘likely’ and ‘serious harm’ are interpreted.

It will be interesting to see what steps are taken by the government and regulators with respect to those most vulnerable in our community including children, who may not be equipped to take advantage of the warnings provided.  One step at a time ……

The other burning question to me as an insurance lawyer is how will the insurance market respond to these changes?  Some cyber policies presently offer cover for fines and penalties.  When those policies were written one would assume that the cover was contemplated to be in relation to breaches reported to the Commissioner of the Australian Privacy Principles.  Typically, those types of fines and penalties were small in monetary value.  Over the next two years the insurance industry will need to keep a close eye on the enforcement of the amendment.  Premiums for Cyber insurance are likely to increase, but maybe the value clients demand from these policies will increase too.


Rosan Santangelo
Direct:  +61 (2) 9376 1144

Download PDF:  Mandatory Reporting – Cyber Breach


« Back to Insights