Published in


Australia’s new Mandatory Data Breach Notification law and what it means for your business

Last Friday Australia’s new Mandatory Data Breach Notification law went into effect. Broadly speaking it requires businesses to advertise when they’ve had a data breach that involves personal identifying information. They must let the customers who have been affected as well as the government know, usually within 30 days of a breach.

So, what this means simply is that Australia businesses, as well as global companies that do business here need to have protections in place in the event of a data breach. Moreover, they need to know how to advertise the fact in the event that one happens.

Before February 23rd when this law went into effect companies were still supposed to do this, but it was voluntary. This new law makes it mandatory. In fact, this is really just an addendum to an earlier privacy law from 1988.

What kind of companies are affected?

Any business having more than $3 million in turnover are affected. Additionally, any businesses that provide health care, offer credit or credit reporting services, handle tax file numbers (TFNs, so assume all accounting firms, etc), companies that trade in personal information, and federal contractors will have to comply regardless of yearly turnover. There are others as well, you can check out the OAIC website here.

Australia’s new Mandatory Data Breach Notification law and how SecureStack can help

So, what does the law require companies to do specifically?

Well, two things really: First, they need to protect personal data in the first place which means take reasonable actions to do that physically or electronically; and second, they need to notify customers and the government in a timely manner when a breach has happened or is suspected. The law also requires companies to maintain that control even if they don’t have the data themselves. For example, if you use a cloud provider for accounting, CRM or data storage you are still required to keep that information private as you are using it for your business.

What are these “reasonable actions” I need to take?

The law doesn’t say what companies need to do specifically. But it does publish a guide that mentions certain methodologies like encryption, intrusion detection, centralized logging, multi factor authentication and others. You can find that guide here.

All your data are belong to us

Why is this law necessary?

Cybercrime is growing. Unfortunately, voluntary notification laws aren’t effective with many companies choosing to not report security breaches with the public none the wiser. The company’s reputation is often more important to them than our personal information. So the cost we pay as consumers for their silence is the availability, frequency and richness of our personal data which is for sale to the highest bidder.

An IBM study found that the average cost of a data breach was $4 million USD and HP found that American hacks costs companies an average of $15 million USD. Damages from cybercrime globally was $3 trillion dollars in 2015 and is expected to rise to $6 trillion dollars by 2021. Obviously, cybercrime is very lucrative and a growing number of people throughout the world see it as a viable occupation. With all the advantages the cloud and the internet brings, it also brings a new accessibility that we didn’t have before, making it easy to attack your business online from anywhere. You can’t hide your head in the sand in this environment and this Mandatory Data Breach Notification law is a good first step. At the very least it’s getting people thinking about it, and asking questions at work.

Cyber Security is hard right?

We hear that a lot from potential customers. Their experience with IT security is that it gets in the way. It makes it harder to do their job. All too often security isn’t architected into the solution which ultimately makes it harder to implement after the fact. Security staff (InfoSec) are often overwhelmed with how to implement new solutions without causing the business downtime and pain. I certainly was when I was in that position.

We Secure the Cloud

So, that’s one reason we created SecureStack. We wanted a way to give customers *real* security tools that were easy to implement. SecureStack SIPServer and SecureStack Base are our way of addressing that market need.

The Australian Mandatory Data Breach Notification law requires that you “take reasonable steps to protect the information from misuse, interference and loss, as well as unauthorised access, modification or disclosure”. SecureStack does that in two ways: First, it provides tools for companies to build secure infrastructure. Security tools are baked right into each instance or server. Second, our platform automatically logs all security data to a centralized location, or SIEM. Our SecureStack SIPServer is a web based UI SIEM. We provide custom search intelligence, dashboards and visualizations that let you see your security data in a whole new way. You don’t have to go looking for what's happening, it’s there in front of you already sending alerts to the right people and in many cases automatically mitigating the issue. We built it to be easy, but we also built it to be powerful.

If you’d like more info check out

You can find our products on the AWS Marketplace. SecureStack supports AWS, Google GCP, Microsoft Azure, Alibaba Cloud, Vmware and more. We also have an enterprise product for your legacy infrastructure. SecureStack Base is $15 per month and SecureStack SIPServer is $51 a month. We offer a free trial as well.

If you are interested in reading more about the law you can check out the OAIC website at




We Secure the Cloud

Recommended from Medium

If Your Mobile Phone Is Stolen, what do you do?

antenna and signal boosting equipment

Breached password checker, Part 1 - Anonymize data with k-anonymity.

Lunaray Token Security Scan Report

Web3 anti-fraud security knowledge part 1 ——close your DM

Lunaray Token Security Scan Report

A software developer, a sysadmin, and a security architect walk into a bar…

Global Financial Crimes: COVID-19 Typologies

The great IITG file download limit

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Paul @ SecureStack

Paul @ SecureStack

DevSecOps specialist. Founder SecureStack.

More from Medium

Forex / Currency Trading frauds in India

The 10 Best Machine Learning Algorithms for Data Science Beginners

Salusive Health Data Breach

HALOCK Breach Bulletin Salusive MyNurse

5 Advantages of 5G Technology to Look for in 2020