By Ron Cohen

9 February 2018

Cyber security is a growing issue that has affected a range of stakeholders, including governments and corporations. Just last year Uber admitted to a massive hack of 57 million users’ data. Cyber crime is becoming increasingly sophisticated and can affect every business.

As a result, the Australian government has now introduced new legislation which comes into effect on 22 February 2018. The Notifiable Data Breaches Act which amends The Privacy Act, will impose increased reporting obligations for data breaches that could result in serious harm to individuals.

Cyber Security and the Notifiable Data Breaches (NDB) scheme

The new legislation creates the Notifiable Data Breaches (NDB) scheme, which forms part of a government initiative to deal with the growing amount of cyber security crime. It places added obligations on businesses to report any cyber security breach, meaning businesses have greater responsibilities when dealing with personal information of customers and employees that they store.

Businesses under this scheme will have a mandatory obligation to report eligible data breaches to the Office of the Australian Information Commissioner (OAIC) and all individuals who may be affected by such data breach.

Where an entity is aware that there are reasonable grounds of an eligible data breach, it must prepare a statement containing its contact details, details regarding the breach, the information that is at risk and the steps it plans to take to mitigate the harm that could arise from the beach. Further, the entity must provide a copy of this statement to the OAIC and take reasonable steps to notify all individuals that are affected or at risk.

The NDB scheme provides that any breaches that are likely to cause serious harm to an individual must be reported. Serious harm refers to:
– Identity theft
– Financial loss
– Threat of physical safety or emotional wellbeing
– Loss of business or employment opportunities
– Humiliation or damage to reputation

Examples of eligible data breaches include:
– Personal information being accidentally given to the wrong person;
– A device containing customers’ personal information being stolen or lost;
– A system containing personal information being hacked.

Which businesses need to be compliant?

The NDB scheme applies to various companies, businesses, agencies and organisations. These include*:
– Australian government agencies
– Businesses and not-for-profit organisations with a turnover of $3 million or more
– Credit reporting organisations
– Health service providers
– TFN recipients, e.g. employers
– Entities that trade in personal information
*This list is not exhaustive.

It should also be noted that many small businesses with less that $3 million turnover may not realise they are also subject to the reporting obligations. To be safe, small businesses should take relevant steps to ensure they will be familiar with the NDB scheme and whether it applies to them.

What this means for businesses

The new laws impose further obligations for businesses and their duties to customers, employees and other key stakeholders. Predominantly, entities will now have to:
– Review how they organise and store their information
– Review any data protection measures currently in place, and subsequently incorporate suitable data protection measures
– Minimise the risk of data breaches.


What is most important is the fact that a failure to notify of any ‘eligible data breach’ is considered an interference with the privacy of an individual under this scheme. This could result in significant civil penalties, including up to $360,000 for individuals or $1.8 million for organisations.

As a result, all businesses will need to review all relevant procedures that are currently in place.

In order to be compliant with these new laws, businesses should consider seeking legal advice to ensure they are not at risk of these substantial penalties.


If you have any questions relating to these issues, please contact a member of our Business Law team.

Related Articles

View All
Commercial Law / Commercial Contracts & Agreements

Commercial Tenancy Relief Scheme Regulations 2021

In the technology space, this time of year is often linked with the anticipated release of the new models of Apple...
Read More
Commercial Law

Directors beware – Corporations Act changes tighten the rules for exiting Directors.

Recent changes to the Corporations Act can prevent a director from exiting and alter the effective date of resignations...
Read More
Leasing & Lease Disputes / Real Estate Agents / Commercial Law

COVID-19 – Commercial Tenancy Relief Scheme to be extended (again)

The CTRS was initially expected to end on 29 September 2020 under the COVID-19 Omnibus (Emergency Measures)(Commercial...
Read More
Commercial Law

Verification of online customers: Is your business complying with the new AML/KYC laws?

The changes apply to any business receiving funds from customers that are not already known to them This includes...
Read More
Retail Clients & Chains / Commercial Law

A win for the Tigers on the field and in the Court of Appeal

On 16 October 2020 the Court of Appeal confirmed that a ‘retail premises lease’ will remain subject to the Retail...
Read More
Commercial Law / Leasing & Lease Disputes

COVID-19 Lease Variations- How to document it properly

We have written several blogs about commercial leases and licences and the impact COVID-19 has had on them and what the...
Read More
Commercial Law / Commercial Contracts & Agreements / Corporate Advisory and M&A

Announcing our Promotions

Rob joined us in 2017 and immediately impressed us with his litigation skills and incredible work ethic It’s no...
Read More
Commercial Contracts & Agreements / Commercial Law

When contracts end: The perils of miscommunication and misunderstanding

From a practical perspective, the most critical thing for any party to a contract to appreciate is the importance of...
Read More
Commercial Law / Mortgages, Loans & Finance / Mezzanine Finance

Private lending: the red flags

Today, it may appear amicable and you do not foresee anything going wrong after the money is advanced Surely, it’s...
Read More
Commercial Law / Commercial Contracts & Agreements / Corporate Advisory and M&A

Negotiating Indemnities: Some Practical Tips

An appropriate indemnity can provide a valuable mechanism for risk allocation between parties to commercial dealings...
Read More
Commercial Law / Property & Development / Developments

TLFC Law Triple Finalists in the Lawyers Weekly Australian Law Awards 2019

Celebrating its 19th year, the Australian Law Awards, in partnership with UNSW Law, is the pinnacle of award programs...
Read More
Commercial Law / Franchising & Licensing / Real Estate Agents

Thinking of buying or selling a Rent Roll?

However, rent rolls are regulated by the Estate Agent’s Act and it is important that the contract to buy or sell the...
Read More