On 28 May 2013, the Attorney‑General announced that organisations will be required to notify individuals of a data breach where they face a real risk of serious harm. Currently organisations are encouraged to disclose data breaches voluntarily. Data breaches can result in financial loss and impose psychological damage on individuals. There is also general evidence that data breaches internationally are increasing. Depending on the current level of under reporting of data breaches, mandatory disclosure may help more individuals take steps to mitigate against the possibility of financial loss from identity theft. It is also intended that mandatory disclosure of data breaches will promote better behaviour in relation to security of personal information and compliance with other privacy obligations. The organisations covered by mandatory data breach notification are those with greater than $3 million revenue and those smaller organisations dealing with personal information. The actual costs of data breach notifications will largely depend on an organisation’s existing investment in information security. A Regulation Impact Statement was prepared by the Attorney‑General’s Department and assessed as adequate by the Office of Best Practice Regulation.
- Mandatory Data Breach Notification RIS[ 270 KB]
- Mandatory Data Breach Notification RIS[ 526 KB]