The first data breach notification law (DBNL) was introduced in California in 2002 (and enacted in 2003). Since that time, similar laws have been introduced in different forms in nearly all the States in the United States and are under consideration in a number of other jurisdictions – including Australia, where mandatory data breach notification laws were recommended to be included in the Privacy Act in 2008.
Recently, focus is back on data breach notification – with the Privacy Commissioner coming out in continued support of a legislated requirement – although the government has still not made its position clear.
In the interim, the Privacy Commissioner has updated it Guide on Data Breach Notification to assist organisations in determining how they should respond in the case of a data breach. Although only a Guide – in announcing its release the Privacy Commissioner made it clear that notification to affected parties and, in some instances, the regulator is part of a reasonable response to certain breaches. In other words, ignore the Guide at your own peril!
IT Security Training Australia has prepared a comprehensive review of Data Breach Notifications Laws including:
- The history and current status of DBNLs in the U.S.
- Privacy legislation in Australia and the proposed inclusion of data breach notification provisions in the Privacy Act 1988(Cth)
- A comprehensive review of the OAIC’s new Data Breach Notification guidelines
- Tips for compliance
A copy of the Data Breach Notification Whitepaper is attached.