Bill defines an eligible data breach as where either there is unauthorized access to, disclosure or loss of information, where the access or disclosure would likely result in serious harm to any of the individuals to whom the information relates. It will be mandatory to disclose any case where there are reasonable grounds to believe an eligible data breach has occurred. Businesses must advise the Privacy Commissioner. There is no doubt that cyber-attacks and data breaches will continue to increase in frequency, complexity and sophistication.
- Once the legislation comes into effect (expected within 12 months), it will be mandatory to disclose any case where there are reasonable grounds to believe an eligible data breach has occurred.
- Even if you’re not yet sure whether the relevant circumstances amount to an actual eligible data breach, you must conduct an investigation within 30 days of becoming aware of the reasonable grounds for suspicion.
- It is vital that organisations work to improve their overall cyber resilience by having a Cyber Incident Response Plan in place to respond to and report on cyber-attacks as quickly as possible.
“Senior executives are ultimately accountable for any breach and this accountability will only increase now as a result of the new regime and increased transparency.”