During this year, Australia will require organisations to notify cyber-breaches to the Privacy Commissioner and to all affected parties. Penalties are $360,000 for individuals and $1.8 million for organisations for not notifying cyber-breaches. There are however many exceptions...
The new Privacy Amendment (Notifiable Data Breaches) Bill 2016 was passed Feb 13 2017 but will not apply immediately. The government has to nominate a starting date during the next 12 months.
The requirement to notify cyber breaches to the Privacy Commissioner and affected persons only applies to organizations for which the Privacy Act applies - not state government agencies, local councils and organizations with an annual turnover of less than $3million.
Not all cyber-breaches are notifiable. It depends on whether it is judged that it is likely the breach will likely result in serious harm to affected individuals.
Sanctions for non-compliance are graded from an apology and compensation to those affected to (eventually) implementation of financial penalties by the Privacy Commissioner for serious or repeated non-compliance.