NSW government agencies will be legally required to report customer data breaches such as cyberattacks if a new bill passes parliament.
- NSW would be the first state or territory to legalize the reporting of data breaches
- The move comes after customer data was hacked at Optus and Medibank
- Opposition says bill is ‘common sense’ measure
State government agencies will have to notify customers of a breach within 30 days under the proposed data protection law.
NSW Attorney General Mark Speakman said the law would ensure people would know “fairly quickly” that there had been a data breach.
“They can take their own steps to mitigate the damage, but in the meantime the public sector agency will also be required to take reasonable steps to manage the situation,” Mr Speakman said.
The Privacy and Personal Information Protection Amendment Bill provides a blueprint for government agencies to follow to protect data.
This includes taking steps to mitigate the damage caused by a data breach and creating an internal log to document such breaches.
Its introduction comes after a series of cyberattacks against companies such as Optus and Medibank put the data security of millions of people at risk.
Mr Speakman told the ABC that the bill had broad support and that he believed it could be passed by Parliament within the next fortnight.
“There are ongoing cyber threats to public sector agencies,” he said.
“Sometimes the data breach can be due to hacking and other times due to negligence.
“As a government, we do everything we can to protect citizens’ data.”
Mr Speakman said relevant agencies – which include local councils, statutory authorities and some universities – will have a year to put the necessary systems in place.
NSW Labor leader Chris Minns described the bill as a “common sense” measure.
“I would like to speak to tech experts to find out if it is possible to let people know earlier and make sure the government is able to comply with these changed rules,” he said. at the ABC.
“If we see, at the end of the day, that it makes sense and the government is able to comply with it through its agencies, then we would be in favor of it.”
In September, Optus announced that it had been hit by a cyberattack. The hackers stole customer information ranging from details to identification numbers, including passports and driving licenses.
Health insurer Medibank was the target of an attack in October, revealing that the personal information of around 9.7 million current and former customers had been accessed.