Yahoo breach puts focus on Australian consumer hacking protections

Yahoo's confirmation of a serious hack has put the spotlight on Australia's lack of regulation forcing businesses to tell victims their information has been stolen.

The tech giant has confirmed a massive attack on its network that occurred in 2014, with hackers accessing data from at least 500 million users.

Yahoo believes they may have been state sponsored attacks, capturing names, email address, birth dates, and scrambled passwords, along with encrypted or unencrypted security questions and answers that could help hackers break into victims' other online accounts.

In Australia, there are no laws that force companies that have been breached (or inadvertently disclosed information) to notify the affected customers.

The Government has released draft laws to force notification of personal information data breaches, known as mandatory data breach notification.

The legislation is proposed to be introduced in this year's Spring sittings of Parliament, as an amendment to the Privacy Act.

These laws have long been advocated for by privacy experts and were recommended as part of a Parliamentary Joint Committee on Intelligence and Security inquiry into Australia's data retention laws.

However, industry groups are pushing back against the changes fearing they could be difficult to implement and impose an unreasonable compliance burden on businesses.

Nick Abrahams, a partner at law firm Norton Rose Fulbright, advises companies on how to deal with data breaches.

He said "more often than not in Australia people aren't getting notified" and that the legislation was inevitable.

"We just need to get on with it - we're going to get it, we should have it," he said.

"Most other countries of our level of development have similar concepts.

"Particularly boards are having to deal with this issue because right now [breaches don't] get escalated to them because there's no obligation to notify.

"It's an important issue for boards to think about - 'are we risking serious harm to those people whose data we have compromised?'

"The reality is there's so much more of it happening now."