Australian travel insurer, Aussie Travel Cover (ATC) has recently revealed that it was the subject of a cyber-attack in December of last year which compromised 770,000 pieces of personal data.
Although it notified the Australian Information Commissioner soon after it became aware of the attack, Australia currently has no laws requiring companies to disclose data breaches, regardless of size, so ATC was under no obligation and chose not to inform its policyholders of the breach.
However, the Commissioner has the regulatory power to investigate any alleged breach of the Privacy Act, which it may do following a complaint or of its own volition.
Unfortunately ATC's decision not to inform its policyholders of the breach, many of whom found out about the breach through the media, is likely to result in complaints to the Commissioner therefore making it more likely to commence an investigation.
If the Commissioner does decide to commence an investigation and finds that reasonable steps were not taken by ATC to protect its customers' data it may be subject to a range of civil sanctions.
A news report on the attack is available here.