Mandatory Data Breach Reporting


It is so important to ensure the security of your online data, for the sake of your clients’ privacy, and now also for the sake of your business reputation. As of February 2018, many businesses will be required by law to report any data breaches that occur. 

There are so many benefits to cloud-based accounting and business tools, which we’ve outlined before. However, there are concerns about the security of storing personal information and client data online when there are so many hacking and phishing schemes in operation.

So far in 2017, there have been nearly 400 scams per day in Australia. And 60% of reported losses from scams and hacks have been breaches of small businesses with less than 20 staff.

In response to security concerns, there is a new legislation on mandatory data breach reporting. The Privacy Amendment (Notifiable Data Breaches) Bill 2016 is a notification regime for eligible data breaches in Australia.

Under the new law, if you believe your organisation has been breached, or data has been lost, you are required by law to report the incident to the Privacy Commissioner and any affected customers or clients as soon as you become aware of the breach. Failure to do so can result in fines up to $360,000 for individuals and $1.8 million for organisations.

This intends to hold businesses accountable for any breach of data that occurs, and therefore encourage a proactive approach to cyber security.

Who does the new legislation apply to?

All government agencies and organisations governed by the Privacy Act, including:

  • Private sector businesses and not-for-profit organisations with an annual turnover of more than $3 million.
  • Any businesses that handle personal information for a living, including those who handle credit-reporting information, tax file numbers and health records (regardless of annual turnover).
  • Any organisation that sells or purchases personal information along with credit reporting bodies (regardless of annual turnover).
  • Private sector health service providers (regardless of annual turnover).
  • Childcare centres, private schools and private tertiary educational institutions (regardless of annual turnover).

It’s also important to be aware of where your international clients are from, and the data security laws you are accountable for when it comes to their personal information. For instance, the EU already has strict data breach laws in place, which you are required to adhere for any clients in the European Union.

What counts as a "data breach"?

A data breach is when personal information held by an entity is lost, or subjected to unauthorised access, modification, disclosure or any other misuse or interference. Personal information includes credit reporting information, tax file numbers, addresses, contact details and credit eligibility information.

Ensure you’re prepared and protected well before the new laws take effect on 23 February 2018.

Aintree Group is on board with Practice Protect, a cyber security system specifically designed for accounting firms. Practice Protect is our proactive measure against data breaches and security risks.

Download the Practice Protect Fact Sheet for more information about the Mandatory Reporting Legislation.

Get in touch with us.

Sources and relevant articles:

SMSF Adviser
Clayton UTZ