[BreachExchange] Australia finally gets data breach notification laws at third attempt

[Audrey McNeil]

http://www.zdnet.com/article/australia-finally-gets-data-
breach-notification-laws-at-third-attempt/

At the third time of asking, Australia will have data breach notification
laws.

The passage of the Privacy Amendment (Notifiable Data Breaches) Bill 2016
through the Senate on Monday means Australians will in the near future
begin to be alerted of their data being inappropriately accessed.

The legislation is restricted to incidents involving personal information,
credit card information, credit eligibility, and tax file number
information that would put individuals at "real risk of serious harm".

"It is not intended that every data breach be subject to a notification
requirement. It would not be appropriate for minor breaches to be notified,
because of the administrative burden that may place on entities, the risk
of 'notification fatigue' on the part of individuals, and the lack of
utility where notification does not facilitate harm mitigation," the
explanatory memorandum for the Bill states.

Notification laws would only apply to companies covered by the Privacy Act,
and would exempt intelligence agencies, small businesses with turnover of
less than AU$3 million annually, and political parties from needing to
disclose breaches. E-health providers are still subject to the mandatory
data breach notification scheme under the My Health Records Act.

Upon a qualifying breach or on reasonable grounds to believe that a serious
data breach has occurred, the impacted entity would need to notify the
Australian Information Commissioner and affected individuals. In cases
where it is not certain a breach has occurred, the entity has 30 days to
investigate whether notification is needed.

The new laws are set to come into force either by a proclaimed date, or a
year after they receive Royal Assent.

Speaking during the second reading of the Bill, Senator Penny Wong said
many Australians would be surprised that companies were not already legally
required to inform them when a serious breach occurred, and pointed to the
three-year delay that Catch of the Day took to inform its users as an
example of why notification is needed.

Australian Greens Senator Scott Ludlam was unsuccessful in moving a motion
to have the notification requirements apply to political parties and
businesses with turnover of less than AU$3 million.

A data breach notification scheme was recommended by the Joint
Parliamentary Committee on Intelligence and Security in February 2015,
prior to Australia's mandatory data-retention laws being implemented.

Under the data-retention laws, approved law-enforcement agencies are able
to warrantlessly access two years' worth of customers' call records,
location information, IP addresses, billing information, and other data
stored by telecommunication operators.

Two Bills that would have had a similar impact were stranded when
Parliament rose for the 2013 and 2016 federal elections.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170213/5d33d73c/attachment.html>