Australia finally passes mandatory data breach reporting legislation

Self-assessment and self-reporting, with exceptions for things like fat-fingered emails

5 Reg comments Got Tips?

Australia has finally passed mandatory computer security breach reporting laws, fifteen years after California became the first jurisdiction to do so.

It's been hard to find opposition to such laws in the time since. Major security vendors went to Canberra in the mid-to-late 2000s to lobby for it, Europe adopted its own version of the laws in 2009 and Australia's been discussing drafts since at least 2012.

The bill that passed yesterday was first floated in 2016 and made it through the House of Representatives last week.

On Monday it made it through Australia's Senate, thereby all-but becoming law.

The bill made it through without amendment, although the Australian Greens tried a couple that would have shortened required reporting time from 30 to three days.

The law will now come into force at some point in the next twelve months and require organisations to keep an eye on all data flows beyond their boundaries. If they spot one that a reasonable person feels would cause “serious physical, psychological, emotional, economic and financial harm, as well as serious harm to reputation and other forms of serious harm” they are obliged to report it to Australia's Privacy Commissioner within 30 days. The Commissioner can grant an exception, removing the obligation to notify those whose personal information fell into unintended hands.

There's no oversight of reporting: if organisations choose not to, they don't have to report. The explanatory memorandum also explains an exception for organisation that spot a breach and quickly do something about it. Such cases include:

  • A financial institution which becomes aware that customer account details have been accessed by unauthorised parties, and freezes the affected accounts before any fraudulent transactions occur.
  • An entity which becomes aware that it has mistakenly emailed the information of one individual to another individual, asks the second individual to delete the information without using or disclosing it, and is confident that the second individual has complied with that request.
  • An entity which becomes aware that an employee has accessed information without malicious intent but without authorisation, where the entity restricts the employees’ access to the information and otherwise ensures that no further unauthorised access, use or disclosure of the information occurs, and continues to otherwise comply with the Privacy Act in relation to the information.

Small business operators, spooks and government agencies are exempt from the new notification requirements.

All that remains now is for the bill to be rubber-stamped by Australia's vestigial monarchy, and for the government to proclaim the day on which the law must be observed. Vulture South supposes that either June 1st 2017 or January 1st 2018 offer neat choices, with the latter giving the business lobby more time to prepare and therefore probably front-runner status. ®


Biting the hand that feeds IT © 1998–2020