Over the past two months we have written articles outlining the risk of cyber-breach to businesses. There can be significant direct and third-party costs as a result of a breach, along with the need to quickly access expert professional help after a breach. Along with this there is new legislation for mandatory breach reporting, which is the subject of this months article.
Mandatory Breach Notification Laws
Effective 22nd February 2018 organisations will be legally obliged to disclose data breaches, but how will these new laws impact your business?
Will my business have to comply with these laws? The law applies to organisations that have responsibilities under the Privacy Act, including
- Australian Government agencies
- Businesses and not-for-profit organisations with an annual turnover of more than $3 million.
The law will also apply to certain types of businesses with an annual turnover of less than $3,000,000 and are applicable to the following business segments
- Private sector health services providers (including alternative medicine practices, gyms and weight loss clinics)
- Child care centres, private schools and private tertiary educational institutions.
- Businesses that sell or purchase personal information along with credit reporting bodies
- Individuals who handle personal information for a living, including those who handle credit reporting information, tax file numbers and health records are also covered under the new data breach notification scheme.
What is a data breach?
A data breach is defined as an instance where –
- there has been unauthorised access, or unauthorised disclosure of, personal information concerning one or more individuals
- there is a likely risk of serious harm the affected individuals as a result of the unauthorised access or unauthorised disclosure.
- information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure.
What is Compulsory Notification?
In the event of a data breach, an organisation has a duty of notification to the Office of the Australian Information Commissioner and the affected individuals of an eligible data breach “as soon as practicable after the entity is aware that there are reasonable grounds to believe that there has been an eligible data breach.”
Notification is considered compulsory unless notification impacts upon a law enforcement investigation or was determined by the regulator to be contrary to public interest.
What sort of Penalties may apply?
Under the new laws, where an organisation has committed “serious or repeated non-compliance with mandatory notification requirements”, they may face fines of up to $360,000 for individuals and $1.8 million for organisations.
A significant data breach to an organisation can be financially crippling, costs could range from business interruption, ransom payments, incident response, third party claims and legal costs, to customer notification expenses and data reconstitution.
SME Business Claims Example – Professional Services Firm
A company’s server and client records were locked by Ransomware software. The company was unable to have the files released unless they paid a ransom of $50,000 to the hackers.
In addition to the Ransom, the business suffered losses of $150,000 including income whilst the files were locked and the server was down, consultant’s costs to advise on the handling of the matter and negotiation of the ransom, and costs to restore the network, as the hackers refused to release the files despite the company complying with the Ransom request.
Fortunately the affected business had placed a Cyber Liability policy to respond to the attack.
So, even if your business falls outside the scope of the legislation, the potential costs and need to quickly access expert advice are reason enough to consider your options. If you want to find out more contact Nathan Corrigan at Insurance House, (02) 8913 9137 or nathan.corrigan@ihgroup.com.au.
