Financial Impact of the Privacy Amendment (Notifiable Data Breaches) Act 2017

By Krist Davood - February 22, 2018

Starting from the 22nd of February 2018, organisations with a turnover of $3million or more will fall within the scope of the new Privacy Act measures requiring mandatory notification of cybersecurity breaches.

Upcoming penalties of up to $1.7 million for companies, and $340,000 for individuals, means professional firms and their clients will need to be prepared for the Privacy Amendment (Notifiable Data Breaches) Act 2017 to ensure they do not pay fines. These penalties do not include reparation costs for any customers who may be impacted by the breach by professional firms and their clients.

In a snapshot, the law will require organisations to notify affected individuals and make a report to the Privacy Commissioner where a data breach, that could cause ‘serious harm’, has occurred. The term ‘serious harm’ may include physical, psychological, economic or financial harm, but wouldn’t include individuals being distressed or upset.

The notification will need to include a description of the breach, the kinds of information concerned, and recommendations to affected individuals about the steps they should take in response to a serious data breach. Not notifying those affected may attract a fine for both the individual Director(s) and the company.

This is a fundamentally different set of provisions to what is in place at present and conveys a significant onus on businesses dealing with the data of customers and clients to ensure that it is kept in a secure cyber environment.

Under the new laws, in the event of a breach, professional firms and your clients' organisations must demonstrate how they have complied with the relevant legislation and have taken reasonable steps to protect the organisation’s data and systems.

Examples of breaches that we believe would require reporting on under the new laws include, but not limited to:

  • Ransomware attacks
  • Theft of customer details
  • Data theft using USBs
  • Stolen credit card details
  • Malware attacks
  • Unauthorised access to financial transactions by unknown parties

For further information, please contact your regular Pitcher Partners representative or a member of the Critical Point Network team.

Contact our experts

Other articles


Top of Page


Rob Southwell


Managing Partner and Partner – Private Clients Group

> View profile

John Brazzale


Partner and National Chairman

> View profile

Michael Minter


Managing Partner

> View profile

Bryan Hughes



> View profile

Tom Verco


Managing Principal - Private Clients

> View profile

Ross Walker


> View profile

Partnership fraud


Paperwork and independent advice saves partnerships from fraud

Discover more

Kia Ora Horse Stud


Pitcher Partners fills a Financial Manager gap to keep the business on track

Discover more

Fuel Injection Company Administration


A fuel injection company began life as an Australian public company before being acquired by a UK publicly listed company while in the research and development stage of a “green...

Discover more

@PitcherPartner PRIME TIME | Last week our Melbourne firm co-hosted a seminar with long-term client . Yak Yong Quek &…