The Australian Parliament has taken the first legitimate step towards mandatory data breach notifications becoming reality, with the proposed Privacy Amendment (Notifiable Data Breaches) Bill 2016 (the Bill) receiving bi-partisan support in the House of Representatives on Tuesday.
Having been on the government’s agenda since 2015, many within the IT, Security, Legal and Insurance arenas have seen this as a long time coming.
Under the proposed laws, organisations subject to the Privacy Act 1988 (cth) would be required, in the event of a serious data breach to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals.
Organisations subject to Privacy Act obligations include most businesses with an annual turnover in excess of $3 million, as well as a number of smaller organisations, such as those handling sensitive health data. An eligible data breach is “unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an entity” where “the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates”. If implemented, and if victim of a breach, this will lead to serious cost and reputation exposures to subjected organisations.
The passing of the Bill will only increase the consequences of an already present risk. The Bill will have significant practical implications for personal and corporate data security as well as contractual relationships. Consequences may include;
- Notified data breaches becoming instant public news. Not only will the person affected potentially disclose such a breach in forums such as social media or web pages but breaches will be reported in the mass media and recorded for perpetuity online.
- Dedicated privacy and consumer rights organisations will keep comprehensive and permanent online records of reported privacy breaches.
- Contractual counterparties will know about the breach and will be concerned about whether their confidential information has been exposed.
- A potential increased risk from affected parties, or litigation funders on behalf of affected parties conducting class actions resulting from a breach of data
Whilst increased costs associated with the passing of the Bill are real, exposure and cost relating to current cyber and privacy events remain understated and extremely high. Current privacy breach claims costs in Australia per breach stand at $2.64 million (as per the latest 2016 study by the Ponemon Institute). The same study indicates that without mandatory breach notification laws, companies face up to an 80% chance of losing nearly a quarter of its value in a single month following a significant breach crisis.
The introduction of the Bill will lead to increased organisational wide exposures, on both a fiscal and reputational front. Cyber and Privacy Risks continue to be a whole-of-organisation and (for those relevant) a board level discussion. Strong IT protections, practices and procedures are recommended and required, however cannot provide complete protection. This is where Cyber Liability & Privacy Insurance can fill the gap. The application of Cyber Insurance as an additional layer, complimenting the efforts IT and other information security orientated functions, is where the greatest value lies. Cyber Insurance is particularly effective when the cost of additional information security controls do not reduce the risk enough to make the investment in such controls practical.
Mandatory Breach Notifications will inject additional scrutiny of Australian organisations – but also significantly increase the costs of cyber risk monitoring and remediation. Initial investments should be in cyber capability development and as the risk curve flattens, cyber insurance will become an efficient means to further reduce risk. As the Bill makes its way through the Senate, organisations will need to implement a robust cyber policy, including a review of the need and/or current structure of their Cyber Liability & Privacy Insurance to protect their associated risk exposures.