Been hacked? Now you don't have to wait years to find out

If your house was robbed and all your personal information was stolen, you'd want to know about it. So why shouldn't the same rules apply online?

Claire Reilly Former Principal Video Producer
Claire Reilly was a video host, journalist and producer covering all things space, futurism, science and culture. Whether she's covering breaking news, explaining complex science topics or exploring the weirder sides of tech culture, Claire gets to the heart of why technology matters to everyone. She's been a regular commentator on broadcast news, and in her spare time, she's a cabaret enthusiast, Simpsons aficionado and closet country music lover. She originally hails from Sydney but now calls San Francisco home.
Expertise Space, Futurism, Science and Sci-Tech, Robotics, Tech Culture Credentials
  • Webby Award Winner (Best Video Host, 2021), Webby Nominee (Podcasts, 2021), Gold Telly (Documentary Series, 2021), Silver Telly (Video Writing, 2021), W3 Award (Best Host, 2020), Australian IT Journalism Awards (Best Journalist, Best News Journalist 2017)
Claire Reilly
3 min read
James Martin/CNET

No one likes being hacked. Just ask the users of 1 billion Yahoo accounts that found out last year they'd been hacked back in 2013. Or have a chat to a panicking Ashley Madison customer, circa 2015.

But now Australians who have their personal data compromised online will know about it -- and they won't have to wait years for the privilege.

That's all thanks to new laws passed by Parliament, requiring big companies and government agencies that deal with your personal data to notify you if your information is hacked, compromised or mistakenly released.

You may think your credit card details or bank account are the big things to protect online. But in an era of fewer face-to-face interactions and when everything is conducted online, personal information is gold.

Calling your bank to make changes to your account? All you need is to verify your name, address and date of birth. Contacting Centrelink, shutting off your electricity or accessing your private medical records? A little personal info goes a long way.

And while getting notified about a data breach might seem like a no-brainer -- the equivalent of knowing you should change your locks if your house has been robbed -- Australia has been relatively slow to get these laws passed.

Politicians and privacy experts have been pushing to change the Privacy Act for years, calls that have become increasingly urgent as Australians have started to share more of their personal information online.

The Australian Law Reform Commission has been on the case since as far back as 2008, when it warned that data breaches don't just open the door to identity theft and fraud. They warned that "serious harm" from a breach could also have repercussions such as discrimination if a person's medical records were released.

But the call for Data Breach Notification laws really picked up pace in 2014, when daily deals website Catch of the Day revealed that it had been hacked three years prior, and had failed to inform its customers. (To this day, Catch of the Day has never revealed why it failed to inform customers in a timely manner.)

Australia has had a voluntary notification scheme in place for some time, but Australian Privacy Commissioner Timothy Pilgrim has previously said the voluntary nature of the scheme could lead to many breaches going "unreported."

Now, the Privacy Amendment (Notifiable Data Breaches) Bill 2016 will require companies and government agencies by law to keep Australians in the loop.

Here's the basic rundown.

A hack or data breach requires public notification if:

  • It involves unauthorised access to, disclosure of or loss of personal information
  • A "reasonable person" would conclude the release of that data could cause "serious harm" to individuals
  • The breach involves a government agency, a company with turnover of more than AU$3 million a year, or smaller companies that deal with sensitive data such as medical records

If a company or agency suspects it has been hacked, it has 30 days to conduct an assessment of the issue, and then notify the privacy commissioner of the details of the breach as well as the affected customers and the personal information involved.

From there, the hacked party needs to notify customers individually or, if that's not practicable, issue a statement on their website and "take reasonable steps" to publicise the issue.

So while you might normally be a little lazy when it comes to changing your passwords regularly, at least now if someone breaks in, you'll know to change the locks.

Batteries Not Included: The CNET team reminds us why tech stuff is cool.

CNET Magazine: Check out a sample of the stories you'll find in CNET's newsstand edition.