Does this apply to my organisation?
All businesses with an annual turnover of more than $3 million must comply.
When has an eligible data breach occurred?
An eligible data breach arises when:
- there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds;
- that is likely to result in serious harm to one or more individuals; and
- the entity has not been able to prevent the likely risk of serious harm with remedial action.
Examples of a data breach would include:
- Providing or emailing personal information to the incorrect people (even mistakenly);
- Contractors or employees disclosing personal information outside the bounds of their employment;
- A company’s computer system containing customer’s personal information is hacked; or
- Loss of data storage or a computer device which contains personal information.
What does notification entail?
When an entity experiences a data breach the first step is to contain the breach where possible and take remedial action. Where it cannot be mitigated through remedial action, it must notify individuals at risk and provide a statement to the Commissioner as soon as practicable.
What should I do?
All businesses subject to the rules should take the following steps now:
- Create a plan to mitigate the risks of a breach; and
- Consider cyber insurance to protect against the financial ramifications of such an incident.
If you would like further information regarding these matters, please contact your accountant at Hoffman Kelly who will be able to confirm whether the rules apply to your business, discuss the most likely data breaches that could occur in your business, and help you understand the financial consequences that could occur in the event of a data breach. We can also assist with arranging cyber insurance to protect against the risk.
You can also follow the link below to the Australian Government’s publication: