On February 22, the mandatory data breach notification law comes into effect in Australia. It applies to private entities subject to the Australian Privacy Act including entities with an annual turnover of more than $3 million, businesses that provide a health service, disclose personal information as well as federal government agencies and those that contract with them.
Company that suspects it may have suffered a data breach capable of causing “serious harm” to any relevant data subjects will have 30 days to investigate and conclude whether in fact an eligible data breach occurred. The law does not define “serious harm” but we can assume it involves a degree of significant emotional, physical, reputational or financial damage.