Mandatory notifiable data breaches (NDB) legislation
Organisations with a turnover of more than $3 million, plus organisations that collect information such as tax file numbers or personal health data (among others) are subject to NDB legislation. The legislation was created to give individuals more control in situations where their personal data has been stolen or accessed by unauthorised people. The law states that businesses must notify the affected individuals along with the Office of the Australian Information Commissioner (OAIC) if a breach occurs and is likely to result in ‘serious harm’ to the individuals.
The definition of serious harm includes emotional distress and reputational damage, as well as financial losses.
Knowing that a breach has happened, and the potential ramifications, means individuals can take steps to protect themselves, such as cancelling their credit cards and being alert to potential identity theft.
However, if it is suggested that the organisation could and should have done more to prevent the data breach and protect the individuals’ information, then that business could be subject to a class-action lawsuit that could cost a lot more than the fine.
What are the chances of lawsuits happening in Australia?
Data breach lawsuits are already happening in the United States, so it is only a matter of time before Australian courts start seeing a similar pattern. Many Australian law firms are already warning their clients that prevention is better than cure, and they should protect their customer information and mitigate the risks of data breach such as a cyberattack.
How can businesses prepare and reduce the risk?
The first step is to implement strong security measures that prevent unauthorised people from accessing your client data and block cybercriminals from gaining access to your IT systems and communications. Businesses can also prepare by avoiding the collection of personal data that isn’t absolutely essential to their business. This may help make the business a less attractive target.
If an attack does occur, it’s crucial to act immediately to reduce the severity. This includes calling in the experts straight away to close any security gaps or retrieve the lost data, and engage legal and public relations advisors to assist with notifying all relevant people and regulatory bodies.
The increasing sophistication and determination of cybercriminals means it’s not possible to guarantee that a breach won’t occur. Therefore, like any business risk, it is essential to mitigate the potential loss with the right insurance.
Why cyber insurance is essential
Cyberattacks and data breaches are a very real concern and the implications for businesses can be catastrophic. Cybercrime impacts businesses as a whole, not just IT departments or systems.
The risks are broad and include financial loss, business interruption, reputational damage, and loss of clientele.
The ASX has reported that 80 per cent of companies it surveyed are expecting an increase in cyber risk over the next year while only 45 per cent of the surveyed companies are confident about their ability to detect, respond, and manage a cyber intrusion.
This means losses are likely and businesses should protect themselves by purchasing cyber insurance.
The right cyber insurance policy can be a valuable part of an organisation’s data breach response plan by providing the resources necessary to manage the response in line with the legislative requirements and minimise the impact.
Rejecting cyber insurance is as risky as refusing to insure your premises against fire. Of course, you hope you won’t have to deal with a cyberattack and organisations will take steps to prevent a data breach. But if the worst happens, the right cyber insurance policy will help you manage the incident, recover, and get back to business.
While cyber insurance is in its relative infancy in Australia at the moment, it won’t be long before it’s considered as essential as any other business insurance.
