In plain English
If your business suffers a data breach — and it's likely that people could be harmed as a result — you are legally required to notify both the Office of the Australian Information Commissioner and the people whose data was exposed, usually within 30 days of becoming aware of the breach.
Full definition
The NDB scheme applies to Australian Government agencies and private sector organisations with an annual turnover of $3 million or more, as well as certain smaller organisations including health service providers, organisations that trade in , and tax file number recipients.
A notifiable breach occurs when: personal information is lost or subject to unauthorised access; and the data has not been secured so as to prevent the harm; and the breach is likely to result in serious harm to the individuals concerned.
Penalties for failing to comply with NDB obligations can reach $50 million for companies. An IronSights retainer ensures a tested response plan is in place before a breach occurs, reducing both legal exposure and the time required to contain an incident.