The Office of the Australian Information Commissioner, lead by Timothy Pilgrim received 114 breach notifications last financial year – up from 107 on the year before. Given mandatory notification doesn’t start for a few more months, this could be the thin edge of the wedge as companies come to grips with the new regulatory regime.
The OAIC’s report said the top five sectors reporting breaches were the federal government, the finance and superannuation industry, retail, health services and telecommunications. 92% of the breaches were reported within 60 days which sounds good until you work out that about nine of those reported breaches took over two months to report.
The new laws give companies 30 days to report, suggesting that while it’s good that businesses are reporting, they’ll need to speed their games up from February 2018.
The OAIC’s report also covered privacy complaints. They received almost 2500 complaints with the finance sector the “winner”, receiving 15% of the complaints. Telcos came in second with 8%. That’s a change on the year before where health service providers and the federal government led the pack.
It’s important to note that if you’re a listed company, you have more to report than just the loss of PII if there’s a breach. Any breach that can materially affect company value has to be reported to ASIC and other agencies. So, while the new Mandatory Breach Notification laws expand to hit more companies (pretty much all those turning over $3M or more) the need to report breaches is not new.