On February 23, 2018 the Privacy Amendment (Notifiable Data Breaches) Act 2017 came into effect. What does this mean for your business?
The legislation requires Australian businesses that have been affected by a serious data breach to notify all customers whose information may have been compromised. If the organisation does not comply, heavy penalties may be imposed – fines of up to $360,000 for individuals and $1.8 million for organisations.
Currently the size of businesses impacted by this legislation concerns all organisations with turnover above $3 million, however if you are handling sensitive information, then this new legislation can still impact your business.
The Office of the Australian Information Commissioner (OIAC) advises that a data breach is eligible if it is likely to result in serious harm to any of the individuals to whom the information relates.
Whether a data breach is likely to result in serious harm requires an objective assessment, determined from the viewpoint of a reasonable person in the entity’s position.
The OIAC also advises that not all data breaches are notifiable – for example if an entity acts quickly to remediate a data breach, and as a result of this action the data breach is not likely to result in serious harm, there is no requirement to notify any individuals or the Commissioner.
There are three main areas to be considered when a notifiable data breach occurs and results in “unauthorised access” or “unauthorised disclosure” of personal information:
An example would be when an employee browses sensitive customer records without any legitimate purpose, or a computer network is compromised by an external attacker resulting in personal information being accessed without authority.
This occurs when an entity, whether intentionally or unintentionally, makes personal information accessible or visible to others outside the entity, and releases that information from its effective control in a way that is not permitted by the Privacy Act.
For example, an employee of an entity accidentally publishes a confidential data file containing the personal information of one or more individuals on the internet.
This refers to the accidental or inadvertent loss of personal information held by an entity, in circumstances where is it is likely to result in unauthorised access or disclosure.
For example, an employee of an entity leaves personal information (including hard copy documents, unsecured computer equipment, or portable storage devices containing personal information) on public transport.
The government provides an Privacy Management Plan template, which is as an excellent resource for your business. Click below to view.
Cyber Risks have quickly become one of the leading exposures to Australian businesses. The Australian Government estimates almost 700,000 businesses have experienced a cybercrime. Of these attacks, 60% were targeted at small to medium businesses with the average cost of a cybercrime attack being more than $275,000.
Despite these alarming statistics, there is still the attitude of “it won’t happen to me”. However, the evidence is mounting that is not a matter of “if” but “when”.
Losses can be extensive, especially when your customers’ personal information has been stolen. The cost of Crisis Management, notifying your customers, IT system remediation and recreation of lost data and extortion costs can add up very quickly.
Cyber Insurance has been around for a few years now and many Insurers have reduced the entry level cost for basic policies to help you if you are impacted. In fact, Cyber Policies can be purchased from as little as $300 per year.
When a Cyber Breach occurs, your Insurance Policy will be crucial in assisting you to deal with the incident and providing your business with cover for costs incurred when making a data breach notification.
Cyber & Privacy Protection Insurance can also provide protection for other exposures including:-
> System Damage: Can cover your IT Systems as well as lost data and also the cost of external IT Forensic and Security Consultant costs
> Business Interruption: Can cover loss of profits as a result of the attack
> Computer Virus & Hacking: Aims to provide cover for the liability arising from hackers and viruses (including the loss or theft of data) and also losses as a result of phishing emails or Denial of Service attacks.
It is crucial that all data is backed up regularly (and copies kept off site). It is also vitally important that appropriate virus / security protection is kept updated at all times.
We have covered this before, but now more than ever it is important to ensure you and your staff are taking appropriate action. Besides having in place a quality Cyber & Privacy Protection Insurance Policy, you need to ensure your organisation regularly informs all of your staff what to watch out for. Some examples include:
What you need to do
If you believe that this issue is relevant to your business, please feel free to contact Rebecca Fleming, Account Manager of our Travel Industry Division at Gow-Gates Insurance Brokers on (02) 8267 9919 or firstname.lastname@example.org to discuss your circumstances or to obtain a quotation.
Gow-Gates Insurance Brokers advises that persons should not act on the material contained in this article as the items are of a general nature only and may be misinterpreted. We therefore recommend that advice be sought before acting in these areas.