The Australian Government’s Office of Australian Information Commissioner (OAIC) has received 31 breach notifications in the three weeks after the country’s new mandatory data breach disclosure laws kicked in.
The Government’s mandatory data breach notification legislation, Privacy Amendment (Notifiable Data Breaches) Bill 2016, was introduced in Parliament in late 2016, and was passed into law in February, with the new rules taking effect on 22 February.
The laws see Australian businesses with an annual turnover of $3 million or more have to disclose information breaches that involve individuals’ personal information.
In instances where it is not certain that a breach has occurred, the new laws give organisations up to 30 days to investigate whether a breach notification is needed.
Under the regime, companies are required to disclose breaches as soon as possible or within a 30-day window in instances where it is not certain that a breach has occurred.
Now, the agency tasked with handling the notifications, the OAIC, has revealed that it received a total of 31 such notifications in the three weeks after the new regime took effect.
While it hasn’t started yet, OAIC intends to begin releasing statistical information on the data breach notifications it receives on a quarterly basis, starting with information up to the end of March this year.
The data breach notification tally comes as shipping firm Svitzer, a subsidiary of global shipping giant Maersk, notifies the OAIC of a data breach that reportedly affected almost half of its Australian employees.
As reported by ABC News, emails from the accounts of at least three of the company’s Australian employees were automatically forwarded to locations outside of the company. The notification was confirmed by the OAIC.
“Svitzer have provided a notice to the OAIC about the data breach,” a spokesperson for the OAIC said. “In accordance with its usual procedures and the OAIC’s privacy regulatory action policy the OAIC will assess the information in the notification and decide if any further action is required.
“Importantly, the primary purpose of the Notifiable Date Breaches scheme is for organisations and agencies to notify affected individuals where a data breach may be likely to result in serious harm so that the individuals can take action themselves to reduce the chance of experiencing that harm,” the spokesperson said.