New data breach notification laws mean you're no longer in the dark

Going into effect on Thursday, Australia's new data breach notification laws will show exactly how secure -- or insecure -- your information is.

Claire Reilly Former Principal Video Producer
Claire Reilly was a video host, journalist and producer covering all things space, futurism, science and culture. Whether she's covering breaking news, explaining complex science topics or exploring the weirder sides of tech culture, Claire gets to the heart of why technology matters to everyone. She's been a regular commentator on broadcast news, and in her spare time, she's a cabaret enthusiast, Simpsons aficionado and closet country music lover. She originally hails from Sydney but now calls San Francisco home.
Expertise Space | Futurism | Robotics | Tech Culture | Science and Sci-Tech Credentials
  • Webby Award Winner (Best Video Host, 2021), Webby Nominee (Podcasts, 2021), Gold Telly (Documentary Series, 2021), Silver Telly (Video Writing, 2021), W3 Award (Best Host, 2020), Australian IT Journalism Awards (Best Journalist, Best News Journalist 2017)
Claire Reilly
2 min read
Ian Knighton/CNET

They say ignorance is bliss.

Until now, your personal details could have been hacked, breached or sold on the dark web and you might never have known. Sure, the bliss that comes with being ignorant of identity theft is a strange breed of happiness, but we're not here to judge.

From Feb. 22, companies and organisations will no longer be able to keep you in the dark if your personal data is involved in a significant data breach.

Known as the Privacy Amendment (Notifiable Data Breaches) Act 2017, the new laws require companies with a turnover of more than AU$3 million a year to notify customers if their personal info is involved in a data breach likely to cause "serious harm."

So why do you need to be notified?

Watch this: Here be monsters: A guide to the dark web

In the age of identity theft, personal data like names, addresses and dates of birth go a long way in helping criminals impersonate you online. Whether a company is targeted by hackers, or it compromises the data it keeps without ill intent, lost personal information can end up on the dark web to be used to target individuals online.

But if you're notified of a data breach, you can take action to secure your information, inform your bank or change your passwords (especially if you use the same password everywhere -- but promise me you don't do that).

As part of the laws, companies are responsible for working out the scale of any breach that hits them to determine how likely it is to harm customers.

There are three basic tests to determine if a data breach fits the criteria. That includes working out if:

  • There was unauthorised access to or disclosure of personal information (or a loss of personal info)
  • This is likely cause "serious harm" to the people involved
  • The serious harm can't be prevented with "remedial action"

The scheme has been mooted for years, but push for change picked up pace after online deals website Catch of the Day told customers about a data breach in 2014 three years after the breach actually occurred. Speaking at the time, Shadow Attorney-General Mark Dreyfus said the delay was "not acceptable."

Back in 2014, we only had non-mandatory guidelines around data breaches. From Thursday, we have laws requiring action. Now we'll finally see just how many data breaches are hitting Australian companies and how many were going unannounced.