MANDATORY BREACH NOTIFICATION LAWS ARE A REALITY
Is your company ready?
The Australian Parliament has taken the final step in making mandatory data breach notifications a reality, with the proposed Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) receiving bi-partisan support in the House of Representatives and Senate on 13 February 2017. Following Royal Assent it is expected the law will come into effect within a year.
Having been on the government’s agenda since 2015, many within the IT, Security, Legal and Insurance arenas have seen this as a long time coming. Under the proposed laws, organisations subject to the Privacy Act 1988 (Cth) would be required to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals should a serious data breach occur. Most businesses are subject to Privacy Act obligations, specifically those with an annual turnover in excess of $3 million as well as a number of smaller organisations, such as those handling sensitive data.
The definition of a data breach notifiable under this law is unauthorised access to, unauthorised disclosure of, or loss of personal information held by an entity where the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.
This Bill increases the consequences of an already present and growing risk faced by all organisations and in the event of a breach, the affected company will face serious cost and reputation exposures. Significant pressure to protect personal and corporate data, as well as maintaining relationships and brand reputation will be felt by companies regardless of the Privacy Amendment. Mandatory notifications, however, amplify potential damages.
Consequences of mandatory notifications may include;
Notified data breaches becoming instant public news. Not only will the person affected potentially disclose such a breach in forums such as social media or web pages but breaches will be reported in the mass media and recorded for perpetuity online.
Dedicated privacy and consumer rights organisations will keep comprehensive and permanent online records of reported privacy breaches.
Contractual counterparties will know about the breach and will be concerned about whether their confidential information has been exposed.
What do the new notification laws mean to you?
Whilst increased costs associated with the passing of the Bill are real, exposure and costs relating to current cyber and privacy events remain understated and extremely high. Current privacy breach claims costs in Australia stand at $2.64 million per breach (Ponemon Institute, 2016). The same study indicates that without mandatory breach notification laws, companies face up to an 80% chance of losing nearly a quarter of its value in a single month following a significant breach crisis. These costs are only expected to increase once the above Bill comes into effect.
Increased organisation wide exposures will be felt on both a fiscal and reputational front. Cyber and Privacy Risks are relevant to the whole organisation and are a board priority. Strong IT security practices and procedures are required, however they cannot provide complete protection.
An extensive Cyber Liability & Privacy Insurance policy can fill the gap. The application of Cyber Insurance as an additional layer of protection, complementing the efforts of IT departments and other information security functions, is where the greatest value lies. This is particularly effective when the cost of additional information security controls do not reduce the risk enough to make the investment in such controls practical.
Mandatory Breach Notifications will inject additional scrutiny on Australian organisations, and significantly increase the costs of cyber risk monitoring and remediation. Initial investments should be in cyber security capability with cyber insurance an efficient means to further reduce risk.
As the Bill becomes a reality, organisations will need to implement robust cyber and privacy protocols. This should include the implementation of a Cyber Liability & Privacy Insurance policy that will protect associated risk exposures.