Skip Navigation

New Australian Breach Notification to Impact All Destruction Service Contracts

Bookmark and Share

September 27, 2017 
Many of the thirty-plus secure destruction professionals attending the recent NAID-ANZ Shred School were surprised to hear NAID CEO Bob Johnson describe how the impending Australian data breach notification law will require changes to every existing data disposal contract in the country.
“As of 22 February, any customer who is responsible for the protection of personal information will have to modify service provider contracts, wherein the vendor accepts and acknowledges their responsibility to notify the client in the event personal data entrusted to the vendor is potentially breached,” Johnson said. 
He added, “The good news is that it is the customer’s responsibility to make this modification. The bad news is that competitors will use the contract requirement to put your existing accounts in play.”
As a result, attendees were advised to be proactive in modifying their terms and conditions to reflect their new breach notification responsibility, and in reaching out to customers where terms and conditions are superseded by a contract. 
“Customers without any contract in place are extremely vulnerable to poaching,” said Johnson. “Data breach notification laws, which make customers directly responsible to remedy breaches caused by their data-related service providers, have proven time and again to the single biggest game-changer. For the first time, businesses can be deemed legally negligent simply by lacking the appropriate contractual language.”
NAID AAA Certification already includes provisions requiring that policies and procedures, as well as employee training, express a service provider’s obligation to notify the customer of a potential data breach. 
NAID-ANZ members will soon receive information regarding specific language that can be added to contracts should they decide to proactively address any shortfall in that regard with their existing customers.