Companies to Face Mandatory Data Breach Notice Down Under

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Murray Griffin

Most companies in Australia will be required in 2018 to notify the national privacy regulator and affected individuals of certain data breaches under long-awaited legislation that cleared Parliament Feb. 13.

Australia will become one of only a handful of Asia-Pacific countries with a breach notice law. The Philippines has a general breach notice law and Japan and China have limited breach notice requirements. Most multinationals already are familiar with the concept as 47 U.S. states and several Latin American countries have breach notice laws on the books. Sector-specific breach notice laws, primarily in the electronic communications sphere, have been in place for several years in Europe, and a new European Union privacy regime that takes effect in May 2018 includes a general data breach notice requirement covering nearly all companies.

The law covers companies with revenues in Australia of over A$3 million ($2.3M). This means most multinationals that do business in Australia will exceed the revenue benchmark. For example, Jeld-Wen Holding Inc., a Charlotte. N.C.-based maker of doors and windows, did A$133.8M in sales in Australia in the last quarter of 2016, Bloomberg data show.

Companies faced with these laws have experienced increased compliance costs in monitoring cybersecurity incidents to determine if notification is required and in providing actual notification to individuals. In June 2016, the Traverse City, Mich.-based Ponemon Institute estimated that the average notification cost for surveyed U.S. companies per breach was $590,000. Meanwhile, breach notice costs reported by Australian companies under its voluntary breach notice system was only $60,000. Costs in Australia to provide breach notice are likely to rise as the required breach notice there increases.

Risk of Harm Trigger

There are “some tricky questions for a company trying to determine whether they are required to notify” and businesses could seek advice from the privacy commissioner on whether a breach met notification criteria, Brendan Tomlinson, information technology special counsel at the Maddocks law firm in Sydney, told Bloomberg BNA.

The legislation includes a risk of harm trigger limiting when companies must give notice within 30 days of discovering a breach. The law requires notification of an “eligible data breach” involving unauthorized access to or disclosure of personal information that a reasonable person would conclude “is likely to result in serious harm” to an individual to whom the information relates.

Serious harm isn’t defined in the bill. Factors cited to determine whether serious harm is likely include the sensitivity of the information breached, the type of person who might gain access to the information, and the nature of the harm that may result from a breach. The legislation doesn’t specify the types of serious harm that can be considered notifiable, but an official explanatory memorandum on the measure says the harm can be physical, psychological, emotional, economic, financial or reputational.

Companies should be familiar with the potential risk analysis tied to economic harms such as identity theft or credit card fraud. The psychological, emotional and reputational risks are akin to harms discussed in other contexts, such as in personal negligence and other tort claims, and may be less familiar in the breach notice context. They aren’t cited as a data breach risk of harm trigger for most breach notice statutes, although many statutes don’t require any evidence of risk OF HARM(?) to trigger the notice obligation.

Privacy Regulator Guidance Needed

Attorney-General Senator George Brandis Feb. 13 told the Senate it would be “very difficult, indeed I dare say impossible to legislatively define” the threshold at which a breach would constitute a risk of serious harm.

Although defining the risk of harm threshold may be hard, “a body of precedent and practice will develop as the legislation operates” to clarify what constitutes serious harm, Brandis said.

This would be “assisted by the publication of compliance guidance by the Office of the Australian Information Commissioner,” he said. The Office of the Australian Information Commissioner hosts the Office of the Privacy Commissioner.

Tomlinson predicted that the privacy commissioner would be busy making breach notice evaluations and that the number of breach notices will rise above the levels seen now under the voluntary notice scheme.

Privacy commissioner Timothy Pilgrim welcomed the passage of the legislation. “My office will be working closely with agencies and businesses to help prepare for the scheme’s commencement,” he said in a Feb. 13 statement.

Data Governance Australia Chief Executive Jodie Sangster told Bloomberg that many companies have been operating in line with the existing voluntary breach notification regime, so making it mandatory “in many respects won’t be a huge change.” Data Governance Australia is a non-profit group that works with companies that handle data to establish data security and other best practices.

Penalties for failure to meet the breach notification requirements are governed by the sanctions outlined in the Privacy Act. Civil penalties under the Privacy Act for include maximum fines of up to 2,000 penalty units. Penalty units are a measure set by the government each year. The latest penalty unit figure was set at A$180 ($138), so the maximum fine under the Privacy Act would be approximately A$360,000 ($275,418).

To contact the reporter on this story: Murray Griffin in Melbourne at

To contact the editor responsible for this story: Donald Aplin at

For More Information

Further information on the data breach notice bill is available at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security