[BreachExchange] Govt gets over 30 data breach notifications in three weeks under new disclosure laws

Audrey McNeil audrey at riskbasedsecurity.com
Fri Mar 16 14:15:49 EDT 2018


https://www.arnnet.com.au/article/634785/govt-gets-over-
30-data-breach-notifications-three-weeks-under-new-disclosure-laws/

The Australian Government’s Office of Australian Information Commissioner
(OAIC) has received 31 breach notifications in the three weeks after the
country’s new mandatory data breach disclosure laws kicked in.

The Government’s mandatory data breach notification legislation, Privacy
Amendment (Notifiable Data Breaches) Bill 2016, was introduced in
Parliament in late 2016, and was passed into law in February, with the new
rules taking effect on 22 February.

The laws see Australian businesses with an annual turnover of $3 million or
more have to disclose information breaches that involve individuals’
personal information.

In instances where it is not certain that a breach has occurred, the new
laws give organisations up to 30 days to investigate whether a breach
notification is needed.

Under the regime, companies are required to disclose breaches as soon as
possible or within a 30-day window in instances where it is not certain
that a breach has occurred.

Now, the agency tasked with handling the notifications, the OAIC, has
revealed that it received a total of 31 such notifications in the three
weeks after the new regime took effect.

While it hasn’t started yet, OAIC intends to begin releasing statistical
information on the data breach notifications it receives on a quarterly
basis, starting with information up to the end of March this year.

The data breach notification tally comes as shipping firm Svitzer, a
subsidiary of global shipping giant Maersk, notifies the OAIC of a data
breach that reportedly affected almost half of its Australian employees.

As reported by ABC News, emails from the accounts of at least three of the
company’s Australian employees were automatically forwarded to locations
outside of the company. The notification was confirmed by the OAIC.

“Svitzer have provided a notice to the OAIC about the data breach,” a
spokesperson for the OAIC said. “In accordance with its usual procedures
and the OAIC’s privacy regulatory action policy the OAIC will assess the
information in the notification and decide if any further action is
required.

“Importantly, the primary purpose of the Notifiable Date Breaches scheme is
for organisations and agencies to notify affected individuals where a data
breach may be likely to result in serious harm so that the individuals can
take action themselves to reduce the chance of experiencing that harm,” the
spokesperson said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180316/1ab827f8/attachment.html>


More information about the BreachExchange mailing list