By Ron Cohen

9 February 2018

Cyber security is a growing issue that has affected a range of stakeholders, including governments and corporations. Just last year Uber admitted to a massive hack of 57 million users’ data. Cyber crime is becoming increasingly sophisticated and can affect every business.

As a result, the Australian government has now introduced new legislation which comes into effect on 22 February 2018. The Notifiable Data Breaches Act which amends The Privacy Act, will impose increased reporting obligations for data breaches that could result in serious harm to individuals.

Cyber Security and the Notifiable Data Breaches (NDB) scheme

The new legislation creates the Notifiable Data Breaches (NDB) scheme, which forms part of a government initiative to deal with the growing amount of cyber security crime. It places added obligations on businesses to report any cyber security breach, meaning businesses have greater responsibilities when dealing with personal information of customers and employees that they store.

Businesses under this scheme will have a mandatory obligation to report eligible data breaches to the Office of the Australian Information Commissioner (OAIC) and all individuals who may be affected by such data breach.

Where an entity is aware that there are reasonable grounds of an eligible data breach, it must prepare a statement containing its contact details, details regarding the breach, the information that is at risk and the steps it plans to take to mitigate the harm that could arise from the beach. Further, the entity must provide a copy of this statement to the OAIC and take reasonable steps to notify all individuals that are affected or at risk.

The NDB scheme provides that any breaches that are likely to cause serious harm to an individual must be reported. Serious harm refers to:
– Identity theft
– Financial loss
– Threat of physical safety or emotional wellbeing
– Loss of business or employment opportunities
– Humiliation or damage to reputation

Examples of eligible data breaches include:
– Personal information being accidentally given to the wrong person;
– A device containing customers’ personal information being stolen or lost;
– A system containing personal information being hacked.

Which businesses need to be compliant?

The NDB scheme applies to various companies, businesses, agencies and organisations. These include*:
– Australian government agencies
– Businesses and not-for-profit organisations with a turnover of $3 million or more
– Credit reporting organisations
– Health service providers
– TFN recipients, e.g. employers
– Entities that trade in personal information
*This list is not exhaustive.

It should also be noted that many small businesses with less that $3 million turnover may not realise they are also subject to the reporting obligations. To be safe, small businesses should take relevant steps to ensure they will be familiar with the NDB scheme and whether it applies to them.

What this means for businesses

The new laws impose further obligations for businesses and their duties to customers, employees and other key stakeholders. Predominantly, entities will now have to:
– Review how they organise and store their information
– Review any data protection measures currently in place, and subsequently incorporate suitable data protection measures
– Minimise the risk of data breaches.


What is most important is the fact that a failure to notify of any ‘eligible data breach’ is considered an interference with the privacy of an individual under this scheme. This could result in significant civil penalties, including up to $360,000 for individuals or $1.8 million for organisations.

As a result, all businesses will need to review all relevant procedures that are currently in place.

In order to be compliant with these new laws, businesses should consider seeking legal advice to ensure they are not at risk of these substantial penalties.


If you have any questions relating to these issues, please contact a member of our Business Law team.

Related Articles

View All
Business Law / Commercial Contracts & Agreements / Corporate Advisory and M&A

Negotiating Indemnities: Some Practical Tips

An appropriate indemnity can provide a valuable mechanism for risk allocation between parties to commercial dealings...
Read More
Business Law / Property & Development / Developments

TLFC Law Triple Finalists in the Lawyers Weekly Australian Law Awards 2019

Celebrating its 19th year, the Australian Law Awards, in partnership with UNSW Law, is the pinnacle of award programs...
Read More
Business Law / Franchising & Licensing / Real Estate Agents

Thinking of buying or selling a Rent Roll?

However, rent rolls are regulated by the Estate Agent’s Act and it is important that the contract to buy or sell the...
Read More
Information Technology & Innovation / Developments / Business Law

Cyber Security and Protection from Cyber Fraud

Email communication is an inherent part of modern day business It is not uncommon to run an entire transaction online,...
Read More
Employment Law / Business Law / Litigation & Dispute Resolution

What employers need to know when letting someone go

A staff member may need to be let go because the business can no longer afford them, or perhaps they are just not...
Read More
Business Law / Leasing & Lease Disputes / Real Estate Agents

Retail Leases Update for Agents and Landlords

Pursuant to Section 15 of the Retail Leases Act 2003 (Vic), as soon as a landlord enters into negotiations with a...
Read More
Business Law / Commercial Contracts & Agreements / Franchising & Licensing

Franchisors Beware – the ACCC means business!

The action taken by the ACCC against the franchisor related to acting in breach of good faith and making false or...
Read More
Business Law / Personal Property Securities / Small to Medium Enterprises

Personal Property Securities Register (PPSR) Celebrates its 7th Birthday

Financiers who have registered security interests on the PPSR should be aware of this date, as seven-year registrations...
Read More
Business Law / Property & Development / International Investors

Self Managed Superannuation Funds and Property Investment Part 2: Stamp Duty when Transferring Property Assets

Whether the SMSF has purchased this property outright or though the assistance of a Limited Recourse Borrowing...
Read More
Business Law / Property & Development / International Investors

Self-Managed Superannuation Funds and Property Investment Part 1: Using Borrowed Funds for Real Property Investment

There are potentially numerous benefits for purchasing property via a SMSF including asset protection and concessional...
Read More
Business Law / Real Estate Agents

Underquoting Agent cops $720,000 fine

What was the case about The case involved 20 breaches of the Australian Consumer Law for underquoting The Agency had...
Read More
Business Law / Intellectual Property / Information Technology & Innovation

Protecting your brand: the importance of a trademark

You may think your business name or logo is super catchy… witty… and perfectly encompasses the goods/services your...
Read More