A year after Australia\u2019s long-fermenting notifiable data breaches (NDB) legislation received royal assent, the new code has today taken effect \u2013 hastening in a new era of disclosure obligations that could, depending on whom you talk to, be a major step towards cybersecurity transparency or a damp squib due to purposely vague legislation.Looking past the surprise resignation of Australian information commissioner Timothy Pilgrim \u2013 the long-serving bureaucrat who has survived uncertain agency status to oversee the codification of the NDB scheme and tighter controls \u2013 the Office of the Australian Information Commissioner (OAIC) has gone all-in on the NDB, this week releasing a data breach preparation and response guide and clarifying reporting obligations for small businesses.It has also released guidance about how affected organisations should notify the OAIC of a data breach, with resources about proper processes and wording of statements that must be sent to people whose personally identifiable information (PII) has been compromised.Industry players have weighed in on the legislation, with IBM Security master inventor Chris Hockings noting the importance of engaging company executives as well as technology staff.\u201cWith the increased accountability of boards to cyber security incidents, an organisation requires a proactive security approach,\u201d he said in a statement. \u201cTo meet the obligation of the Privacy Act and to meet customers\u2019 expectations, acting with speed and precision are essential.\u201d\u201cBoards must encourage technology partnerships with experts that can provide the tools and insight needed for C-level and board members to stay informed and respond effectivelyhellip;. For [NDB] to be a success requires all businesses to take a renewed approach to managing their security defences, to ensure that personal information is adequately protected.\u201dThat change is proving harder than might be expected, with recent surveys suggesting that as many as 6 in 10 companies still didn\u2019t understand their obligations under the legislation just weeks before it was scheduled to take effect.Lack of awareness is only one issue: Phil Kernick, founder and CTO at CQR Consulting, recently went on the record warning that the NDB laws \u201cwill be among the weakest of any in the world\u201d.\u201cOnce the dust settles, it will become clear that they will impose little to no pressure on businesses to change the way they currently protect personal data,\u201d he said, noting that the wording of the regulations leaves it up to companies to decide whether \u201cserious harm\u201d has occurred. \u201cIf the company decides the serious harm bar has not been exceeded, it doesn\u2019t have to take any action at all.\u201d\u201cHistory shows that even companies that experience a high-profile breach tend to suffer little or no long-term negative effect on their brand or operations,\u201d he continued. \u201cAs a result, there has been little incentive for businesses to increase their security budgets to ensure proper protection of personal datahellip;. This is what needs to be achieved by effective data breach regulations. They should internalise the cost of a data breach so that the option of doing nothing becomes an expensive one to take.\u201dOutside assessments of organisations\u2019 true risk vulnerabilities are of course a matter of how many breaches are disclosed \u2013 and Trend Micro, for one, noted with interest in its 2017 Annual Security Roundup that the number of data breaches disclosed in 2017 actually fell by 32 percent from 2016 \u2013 from 813 disclosures to just 553 \u2013 despite pressure to increase their frequency.The dip \u201cseems to be a prelude to\u201d European Union general data breach regulation (GDPR) that comes into effect in May \u2013 and about which the OAIC has also offered guidance \u2013 the firm\u2019s analysis concluded.\u201cGDPR will have rigid compliance standards pertaining to data breach notifications. Steep penalties also await enterprises in the event of their failure to act in accordance with the regulationhellip;. [and] though the motives for breaking into enterprises\u2019 databases and systems vary, the methods continue to revolve around tried and tested practices.\u201dTrend Micro has also warned about likely extortion attempts as criminals calculate what a company\u2019s exposure would be under GDPR, then demand a somewhat smaller ransom to avoid disclosure of stolen data.The latest report \u201creveals a threat landscape as volatile as anything we\u2019ve seen, with cybercriminals increasingly finding they\u2019re able to gain more mdash; whether it\u2019s money or data or reputation damage mdash; by strategically targeting companies\u2019 most valuable assets,\u201d Trend Micro director and data scientist Dr Jon Oliver said in a statement.\u201cIn Australia we\u2019re likely to see the number of reported breaches double this year, improving not only organisations\u2019 transparency and compliance to NDB legislation changes but also minimising the value of the data criminals have access to.\u201dComing soon... CSO\u2019s microsite.