On February 22 2018 the Privacy Amendment (Notifiable Data Breaches) Act 2017 comes into effect, requiring Australian organisations affected by a serious data breach to notify all individuals whose information may have been compromised.  Failure to notify could result in fines of $360,000 for individuals and $1.8 million for organisations.

Data Breach Notification legislation – will your business be affected?

If your turnover is more than $3 million per year and are you governed by the Privacy Act 1998 (Cth.), or if you are a smaller business handling sensitive information, then this new legislation can impact your business.

More information about how to determine whether this applies to your business or organisation please refer to the OIAC (Office of the Australian Information Commissioner) website https://www.oaic.gov.au/

What is a notifiable data breach?

A Notifiable Data Breach is a data breach involving personal information that is likely to result in serious harm to any individual affected. An eligible data breach arises when the following three criteria are satisfied:

1. there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds;
2. this is likely to result in serious harm to one or more individuals;  and
3. the entity has not been able to prevent the likely risk of serious harm with remedial action.

Here’s a few examples of where the legislation would apply:–

• A device containing customer’s personal information is lost or stolen and there is no way of managing it remotely or ensuring that it hasn’t been accessed.
• A database containing personal information is hacked
• Personal information is mistakenly provided to the wrong person.
• Employees accessing or disclosing personal information outside the requirements of their employment.
• Paper records found in an insecure recycling or garbage bin.

What You Need To do!

Organisations will need to ensure they have an adequate Data Breach Response Plan in place by the time the legislation changes are implemented.

Having a Data Breach Response Plan is part of establishing robust and effective privacy procedures. And having clear roles and responsibilities is part of good privacy governance. A data breach response plan can also help you:

• meet your obligations under the Privacy Act — an entity must take reasonable steps to protect the personal information that it holds; those reasonable steps may include having a data response plan
• protect an important business asset — the personal information of your customers and clients as well as your reputation
• deal with adverse media or stakeholder attention from a breach or suspected breach
• instil public confidence in your capacity to protect personal information by properly responding to the breach.

How Will A Cyber Insurance Policy Help?

A Cyber Insurance policy will play a fundamental role in providing your organisation with cover for costs incurred when making a data breach notification.  Most insurers will provide a 24/7/365 day incident response hotline, giving you access to specialist vendor panel with local, regional and global capabilities.

In addition, the benefits of a Cyber Insurance Policy can include:

• Crisis communications and reputational mitigation expenses.
• Incident response and investigation costs.
• Liability arising from failure to maintain confidentiality of data.
• Liability arising from unauthorised use of your network.
• Online media liability.
• Regulatory investigations and or enforcement proceedings expenses and fines/penalties

Speak to your Account Manager today for more information on how a Cyber Insurance Policy will assist your organisation.

For more information on the requirements of the Notifiable Data Breaches scheme, visit the Office of the Australian Information Commissioner’s website https://www.oaic.gov.au/privacy/notifiable-data-breaches