22 February, 2018 saw the Australian Government enact the Notifiable Data Breaches (NDB) scheme, requiring any organisation affected by a serious data breach to notify all individuals whose information may have been compromised. Non-compliance may result in heavy fines and penalties being imposed on both businesses and individual directors.
This article covers the full impact this new legislation can have on your business, and how you can ensure you are protected.
Note: Some information in this article has been generously provided by Whitbread partner, and leading Australian IT specialists, Surety[IT].
Data Breach Notification legislation - will your business be affected?
If your turnover is more than $3 million per year and you are governed by the Privacy Act 1998 (Cth.), or if you are a smaller business handling sensitive or personal information, then this new legislation can impact your business. The bill came into effect on February 22, 2018.
For more information on how to determine whether this applies to your business or organisation please refer to the OIAC (Office of the Australian Information Commissioner) website here: https://www.oaic.gov.au/engage-with-us/consultations/notifiable-data-breaches/draft-entities-covered-by-the-ndb-scheme
What is the new law?
The new law means that businesses who discover they have been breached, or who have lost data, will need to report the incident to the OAIC Privacy Commissioner as well as notifying affected customers as soon as they become aware of the breach.
The notification must include a description of the data breach, what kind of information it was, and recommendations on how customers should respond to the security incident.
What’s the impact of not reporting it?
Any business that fails to report a data breach can face fines of up to $360,000 for individuals and $1.8 million for businesses. Given the potential fines and penalties involved, this is a legislation every organisation, large or small must take seriously.
What is classed as a notifiable data breach in the new law?
The law considers a breach to have occurred when:
Data is accessed by an unauthorised entity, and / or disclosure or loss of customer information held by a business generates a real risk of serious harm to individuals involved.
‘Serious harm’ can mean physical, psychological, emotional, economic and financial harm, in addition to reputational damage.
Data breaches are not limited to malicious actions, such as theft or hacking but can also come from internal errors or process failures that cause accidental loss or disclosure of information.
What type of data and where?
The legislation applies to anything from personal details, medical records, financial information, credit reporting information, tax file number information etc. held on any device including mobiles, USB keys, hard drives, company networks or paper records. The legislation has a very broad scope.
Here’s a few examples of where the legislation would apply:–
- A mobile device containing company information is lost and there is no way of managing it remotely or ensuring that it hasn’t been accessed.
- There is unauthorised access to a spreadsheet containing customer financial information.
- A member of staff mistakenly emails the information of one individual to another individual.
- A member of staff takes personal information of customers.
- A contractor working on a database containing customer information takes a copy on their laptop and has their laptop stolen.
- An IT staff member finds malicious software on a computer that computer stored confidential information.
What harm could result from a breach?
- Identity theft
- Financial loss
- Threat to physical safety
- Threat to emotional wellbeing
- Loss of business / business interruption
- Reputational damage
- Loss of public trust
- Loss of assets
- Financial exposure
- Regulatory penalties
- Legal liability
What you need to do now...
It is critical that your business has carefully planned strategies, as well as policies and procedures to:
- Reduce the risk of a data breach
- Swiftly manage a data breach should one occur
- Minimise the severity and impact of a data breach on your business
Some areas to address as a starting point -
- Take out a Cyber Insurance policy to protect against financial loss
- Review your current data security strategy
- Develop a cyber security strategy that just doesn’t involve IT
- Educate your staff
- Develop a data breach management strategy
To keep updated with implementation of the Notifiable Data Breaches Scheme, head to the OAIC's website.
A Cyber Insurance policy can provide financial protection for you and your business
While IT strategies can help prevent data breaches, in this day and age, there is no foolproof method to guarantee total security of your data. What you CAN do, is take out a Cyber Liability Insurance policy. A Cyber Insurance policy can protect against the financial consequences of a data breach in a number of ways:
- Fines & penalties - Financial compensation to recoup costs that result from a security breach – including regulatory fines - which can amount to $1.8 million.
- Third party liability - Compensation for clients and customers who suffer financially or emotionally as a result of stolen data.
- Legal and forensic investigation expenses - Extends to include expenses for legal counsel and representation, as well as and costs forensic investigation.
- Reputational repair - Covers for the cost of professional consultants to assist in repairing damage to your company’s brand and reputation.
Specialist IT assistance
Leading Australian IT specialists, Surety[IT] can help you implement targeted, quality risk management practices that significantly minimise your financial and operational exposures. For information on how Surety[IT] can help defend your company against a cyber attack, visit their website. Please click here to access the original version of this insight article on the Surety[IT] website.
To ask for your Cyber Liability insurance quote, and to understand how it can protect your company's reputation and bottom line, contact your Whitbread Insurance Adviser.
This insight article is not intended to be personal advice and you should not rely on it as a substitute for any form of personal advice. Please contact Whitbread Associates Pty Ltd ABN 69 005 490 228 Licence Number: 229092 trading as Whitbread Insurance Brokers for further information or refer to our website.