2017 will be remembered as the year of data breaches. Millions of accounts across the world were exposed, hacked, or just left open for anyone to read. From AWS accounts not being locked, companies being hacked or phished, to plain stupidity, 2017 saw it all. In response to these massive data loss events the Australian Government has changed the Privacy Act making disclosure of data breaches mandatory. Companies like KPMG are reorientating to align with this new law in preparation for the data breaches yet to come in 2018 and beyond. From February 22, 2018, all entities covered by the Australian Privacy Principles will have clear obligations to report eligible data breaches within 30 days. If an eligible data breach is confirmed, entities must provide a statement to each of the individuals whose data was breached or who are at risk, and notify the Office of the Australian Information Commissioner (OAIC).