Australian Privacy Commissioner Timothy Pilgrim opened an additional 59 investigations into data breaches not reported to his office in the last financial year, he said.
Data breach notification is not mandatory, Pilgrim noted. However, there is increased pressure on the Australian government to introduce laws to make it a general legal requirement as it is elsewhere, he added.
To encourage more companies to report data breaches, the OAIC is revising its data breach notification guidelines. The revision outlines four steps for firms to consider when responding to a breach or suspected breach and also outlines preventative measures that should be taken as part of a comprehensive information security plan. The four steps are contain the breach and do a preliminary assessment, evaluate the risk associated with the breach, provide notification, and prevent future breaches.
“As legislative change is considered by the government, the OAIC has updated a guide to assist agencies and organizations to respond to data breaches”, Australian Information Commissioner John McMillan said in launching the revised guidelines.