Australia's mandatory Notifiable Data Breaches scheme is likely to increase the costs of data breaches and the risk of class actions says Miller’s experts. In this article we introduce the new requirements and discuss the importance of a robust breach response.
From February 2018 Australian companies are required to notify the regulator of a data breach, and inform individuals if that breach puts their personal data at risk. Failure to do so can result in fines as high as A$2.1 million for serious or repeat offenses.
Australia is no stranger to data breaches. In November 2017, the personal details of 50,000 Australians were compromised when a contractor working for government agencies and financial services companies exposed the data in the cloud. In 2016, the Australian Red Cross Blood Service accidentally placed the private information of half a million Australians on an unsecured, public-facing website.
According to the Office of the Australian Information Commissioner (OAIC), data breach notifications and privacy complaints have been increasing. In the past year there was a 29% rise in voluntary notifications to 114 incidents, and a 119% increase in mandatory notifications to 35 incidents.
Mandatory scheme
Under the Privacy Amendment (Notifiable Data Breaches) Act 2017, the OAIC is switching to a mandatory data breach notification regime. Previously, Australian companies (with the exception of health companies) were not required to notify the regulator of a data breach, although the OAIC did administer a voluntary data breach notification scheme that allows businesses to self-report.
According to the OAIC the new notification requirement reflects developments in the EU, North America and Asia Pacific, where mandatory data breach notification requirements are already in place, or are in the pipeline (read more on this global trend).
In the case of the EU's General Data Protection Regulations, Australian companies that hold personal data on EU citizens will face additional requirements and much higher penalties.
From 22 February 2018, businesses and government agencies covered by Australia’s Privacy Act are required to notify the regulator and individuals if an “eligible” data breach that poses a “real risk of causing serious harm”. Eligible data breaches are not limited to malicious actions, such as theft or ‘hacking’, and include those caused by accidental loss or disclosure.
This means that organisations will need to be prepared to conduct a “reasonable and expeditious assessment” of suspected data breaches to determine if they are likely to result in serious harm.
When notifying individuals, organisations should include details of the breach and recommend steps that individuals should take to reduce the risk of harm.
The OAIC has published guidance on exactly who is covered by the regime, what constitutes an eligible data breach and the requirements for notifying individuals about a data breach.
Miller's Cyber risks expertise
Breach response
How an organisation responds to a data breach will affect the financial and reputational impact of an incident. Companies will need to plan ahead and be in a position to respond quickly and competently if they are to maintain the trust of their customers and the confidence of the regulator.
Companies are advised to:
- Assess the personal data they hold, how it is used and where it is stored.
- Develop a data breach policy and response plan.
- Update security, data processes and training.
- Review contracts with customers and suppliers for privacy liability and security.
- Carry out a data breach impact study and consider if insurance coverage and limits are appropriate.
Standalone cyber insurance will cover the key costs of a data breach, including notifications costs. According to the Ponemon Institute the average cost of a data breach in Australia is currently around A$2.5m, although larger breaches average around A$6.7m.
Insurance can also cover third party liabilities, including class actions and suits that are filed against an organisation following the unauthorised disclosure of personal data. Australia is already among the most litigious countries in the world, and the notifications requirements are expected to increase the prospect of class actions for large data breaches going forward.
Cyber insurance will typically indemnify:
- The cost of hiring IT forensic, legal and PR consultants.
- The cost of notifying individuals, such as letters, call centres and credit monitoring services.
- Third-party liability, including defence costs, settlements and judgements.
- Regulatory action costs, including defence and investigatory costs as well as penalties (where insurable by law).
Cyber insurance can also assist companies by providing data breach response services that kick in once a breach is discovered. Many insurers offer policies that give organisations instant access to the expert services that are critical when dealing with a data breach and notifying the regulator and individuals.