By Ron Cohen

9 February 2018

Cyber security is a growing issue that has affected a range of stakeholders, including governments and corporations. Just last year Uber admitted to a massive hack of 57 million users’ data. Cyber crime is becoming increasingly sophisticated and can affect every business.

As a result, the Australian government has now introduced new legislation which comes into effect on 22 February 2018. The Notifiable Data Breaches Act which amends The Privacy Act, will impose increased reporting obligations for data breaches that could result in serious harm to individuals.

Cyber Security and the Notifiable Data Breaches (NDB) scheme

The new legislation creates the Notifiable Data Breaches (NDB) scheme, which forms part of a government initiative to deal with the growing amount of cyber security crime. It places added obligations on businesses to report any cyber security breach, meaning businesses have greater responsibilities when dealing with personal information of customers and employees that they store.

Businesses under this scheme will have a mandatory obligation to report eligible data breaches to the Office of the Australian Information Commissioner (OAIC) and all individuals who may be affected by such data breach.

Where an entity is aware that there are reasonable grounds of an eligible data breach, it must prepare a statement containing its contact details, details regarding the breach, the information that is at risk and the steps it plans to take to mitigate the harm that could arise from the beach. Further, the entity must provide a copy of this statement to the OAIC and take reasonable steps to notify all individuals that are affected or at risk.

The NDB scheme provides that any breaches that are likely to cause serious harm to an individual must be reported. Serious harm refers to:
– Identity theft
– Financial loss
– Threat of physical safety or emotional wellbeing
– Loss of business or employment opportunities
– Humiliation or damage to reputation

Examples of eligible data breaches include:
– Personal information being accidentally given to the wrong person;
– A device containing customers’ personal information being stolen or lost;
– A system containing personal information being hacked.

Which businesses need to be compliant?

The NDB scheme applies to various companies, businesses, agencies and organisations. These include*:
– Australian government agencies
– Businesses and not-for-profit organisations with a turnover of $3 million or more
– Credit reporting organisations
– Health service providers
– TFN recipients, e.g. employers
– Entities that trade in personal information
*This list is not exhaustive.

It should also be noted that many small businesses with less that $3 million turnover may not realise they are also subject to the reporting obligations. To be safe, small businesses should take relevant steps to ensure they will be familiar with the NDB scheme and whether it applies to them.

What this means for businesses

The new laws impose further obligations for businesses and their duties to customers, employees and other key stakeholders. Predominantly, entities will now have to:
– Review how they organise and store their information
– Review any data protection measures currently in place, and subsequently incorporate suitable data protection measures
– Minimise the risk of data breaches.


What is most important is the fact that a failure to notify of any ‘eligible data breach’ is considered an interference with the privacy of an individual under this scheme. This could result in significant civil penalties, including up to $360,000 for individuals or $1.8 million for organisations.

As a result, all businesses will need to review all relevant procedures that are currently in place.

In order to be compliant with these new laws, businesses should consider seeking legal advice to ensure they are not at risk of these substantial penalties.


If you have any questions relating to these issues, please contact a member of our Business Law team.

Related Articles

View All
Commercial Law / Commercial Contracts & Agreements / Property & Development

Commercial and Industrial Property Tax Reform – What does it actually mean?

The reform will implement change progressively from 1 July 2024 and will look like this: This reform presents an...
Read More
Commercial Law / Commercial Contracts & Agreements / Employment Law

Payroll Tax – Medical Centres and Contracted Practitioners

  The recent SRO Ruling (PTA-041) on 11 August 2023, confirms the SRO’s stance on the payroll tax obligations of...
Read More
Commercial Contracts & Agreements / Leasing & Lease Disputes / Property & Development

Exercising Options

If a lease is a retail lease, the provisions of the Retail Leases Act (Vic) (2003) will govern the exercise of option...
Read More
Commercial Law / Family Law

2023 Mid Year Promotions: Sarah Gilcrist and Eliza Panckridge

Sarah joined TLFC in January 2022 and quickly became an integral part of the Commercial Team, specialising in lending...
Read More
Commercial Law / Property & Development / Developments

2023-2024 State Budget Recap

Acquisitions of Commercial and Industrial Properties From 1 July 2024, Land transfer duty (stamp duty) on commercial...
Read More
Adverse Possession / Commercial Law / Family Law

2024 Best Lawyers list out now

Tisher Liner FC Law are proud to announce that this year three of our Principals have been selected by their peers for...
Read More
Commercial Law / Employment Law / Litigation & Dispute Resolution

International Women’s Day 2023: Embrace Equity

Have you ever wondered why the hallmark colours of International Women’s Day are vibrant purple, bold green and stark...
Read More
Commercial Law / Litigation & Dispute Resolution / Real Estate Agents

Pitfalls of exercising options

If the lease is subject to the Retail Leases Act 2003 (Victoria), then there are only two conditions that can be...
Read More
Commercial Law

Have you registered your .au domain name? Don’t miss out on the deadline for priority registration

Why is priority registration important Until 20 September 2022, you will have priority to register the direct domain...
Read More
Commercial Law / Commercial Contracts & Agreements / Litigation & Dispute Resolution

Recording | TLFC Law Lunchtime Briefing | Commercial Matrimony – Marry/Battle/Kill

The slides are also available Please click here to view the PowerPoint Slides   Facilitated by Ron Cohen...
Read More
Commercial Law / Real Estate Agents / Owners Corporations & Strata

Changes for Real Estate Agents and Owners Corporation Managers

What are the applicable jurisdictions Current jurisdictions included are Victoria, New South Wales, South Australia,...
Read More
Commercial Law / Commercial Contracts & Agreements / Start-ups & Emerging Enterprises

Frustration, Force Majeure & Risk: Lessons for Business in Uncertain Times

Why is a force majeure clause so important A “force majeure” clause is a provision addressing the parties’ rights...
Read More