What is a data breach?

Did you know you can face fines of $360,000, to $1.8 million for not reporting privacy breaches in your business?


On 22 February 2017 the Australian Senate passed the Privacy Amendment (Notifiable Data Breaches) Act 2017, requiring that data breaches, specifically the unauthorised access or disclosure of personal information about one or more individuals, are reported to the Privacy Commissioner, other relevant regulators (such as APRA) and affected individuals within 30days.


We consulted our cyber insurance experts “Emergence Insurance Australia” for an update on who is impacted by the new law and what it means to you.


What is a data breach?

Emergence Insurance Australia says data breaches occur where there is:

  • unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals (affected individuals), or
  • where personal information of affected individuals is lost in circumstances that may give rise to unauthorised access or unauthorised disclosure.

Data breaches may be caused by malicious intentional actions, such as a serious cyber security incident, accidental loss, loss from negligence or loss from improper disclosure.


“The mandatory reporting provisions apply where a reasonable person would conclude that there is a likely risk of serious harm to any affected individual as a result of the data breach,” Emergence Insurance says.


Is my business covered under the new reporting legislation?

Under the act, State government organisations, local councils and organisations with an annual turnover of less than $3 million are exempt from the Privacy Act. However, mandatory reporting applies to:

  • Australian government agencies
  • businesses and not-for-profit organisations with an annual turnover of more than $3 million
  • private sector health services providers (including alternative medicine practices, gyms and weight loss clinics, which fall under this category)
  • child care centres, private schools and private tertiary education institutions
  • businesses that sell or purchase personal information along with credit reporting bodies
  • some smaller organisations, such as those that handle health data, and
  • individuals who handle personal information for a living, including those who handle credit reporting information, tax file numbers and health records.

In summary

If your business requires customers to provide personal data including tax file numbers, personal health or government indentification (CRN numbers), it is highly likely that you will be required under the act to report any misuses or breaches of your computer security.

Reporting means notifying your customers and the Privacy Commissioner and other relevant authorities.

For more information and how to report a breach go to



To make sure you are covered for cyber attacks on your business contact the Piranha team today.