Mandatory data breach bill tabled
The Government has introduced a bill amending the Privacy Act to introduce mandatory data breach reporting. Credit providers, credit reporting companies and other financial institutions will be covered by the new rules. When a business suffers a breach of secure information, accidental loss of data or negligent or improper disclosure of information, it will have to inform anyone affected and the Office of the Australian Information Commissioner.The Privacy Amendment (Notifiable Data Breaches) Bill 2016 says a breach is an "eligible data breach" where a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of unauthorised access or disclosure.Serious harm includes physical, psychological, emotional, economic and financial harm, as well as harm to reputation.Credit information covered by the amendment includes credit card account details, bank-log in credentials and credit reporting information.Financial institutions will be responsible for breach reporting if they have provided credit data to an overseas entity and that entity suffers a breach.The purpose of breach reporting is to give people affected an opportunity to take steps to mitigate any loss or harm by changing passwords, cancelling accounts and so on.Organisations reporting breaches will be required to assist affected individuals take remedial steps, such as issuing new passwords.The other main objective is to increase transparency to better inform policy makers, regulators, law enforcement and researchers about trends in the handling of personal information.The Government's hope is that mandatory report will also result in improved compliance with privacy obligations.