14 DAY TRIAL // The Australian government’s plans to introduce a law that would force organizations to disclose data breaches have been known for quite some time. Now, the Federal Attorney-General's Department has started circulating a draft of the bill.
Classified as “confidential,” the draft has been shared only with a small number of key stakeholders, SC Magazine, which obtained a copy of the document, reports.
Sources have told SC that the bill, which focuses only on serious data breaches, will go into effect as early as June. However, organizations will be given some time to ensure that they’re in compliancy with the law.
According to the draft, a serious breach is one in which the stolen or lost data exposes individuals to a “real risk of serious harm.” The risk that the data might be unlawfully accessed or disclosed must also exist.
The breach is also considered “serious” if the impacted organization fails to properly secure the personal information of its customers, as per the requirements of the Australian Privacy Principles.
As far as the penalties go, organizations breaking the law can be fined with up to $1.7 million (€1.3 million). Individuals that don’t comply can be fined with as much as $340,000 (€264,000).
However, these high penalties only apply for serious offences or for organizations that repeatedly break the law.
For small offences, individuals can be forced to pay $34,000 (€26,000), and companies up to $170,000 (€130,000).
Organizations must also be mindful of who they send customer data to. If the bill goes into force, they may be fined if the company they send the data to suffers a breach. That’s because according to the Australian Privacy Principles, the sender must ensure that the receiving entity is also in compliancy with the law.
So what must organizations do in case they suffer a serious data breach?
They must immediately send a statement to the Privacy Commissioner. The statement must contain the details of the breach, including what has been stolen and what steps should be taken by victims.
The impacted customers must also be contacted. In some cases, the company might be required to post a notice on its website or inform media outlets.
The bill doesn’t apply to law enforcement agencies because the government believes such disclosures might impact their operations.