Mandatory Data Breach Notification is here

On February 23, 2018 the Privacy Amendment (Notifiable Data Breaches) Act 2017 came into effect. What does this mean for your business?

The legislation requires Australian businesses that have been affected by a serious data breach to notify all customers whose information may have been compromised. If the organisation does not comply, heavy penalties may be imposed – fines of up to $360,000 for individuals and $1.8 million for organisations.
Currently the size of businesses impacted by this legislation concerns all organisations with turnover above $3 million, however if you are handling sensitive information, then this new legislation can still impact your business.

What is a notifiable data breach?

The Office of the Australian Information Commissioner (OIAC) advises that a data breach is eligible if it is likely to result in serious harm to any of the individuals to whom the information relates.

Whether a data breach is likely to result in serious harm requires an objective assessment, determined from the viewpoint of a reasonable person in the entity’s position.

The OIAC also advises that not all data breaches are notifiable – for example if an entity acts quickly to remediate a data breach, and as a result of this action the data breach is not likely to result in serious harm, there is no requirement to notify any individuals or the Commissioner.

There are three main areas to be considered when a notifiable data breach occurs and results in “unauthorised access” or “unauthorised disclosure” of personal information:

• Unauthorised Access

An example would be when an employee browses sensitive customer records without any legitimate purpose, or a computer network is compromised by an external attacker resulting in personal information being accessed without authority.

• Unauthorised Disclosure

This occurs when an entity, whether intentionally or unintentionally, makes personal information accessible or visible to others outside the entity, and releases that information from its effective control in a way that is not permitted by the Privacy Act.

For example, an employee of an entity accidentally publishes a confidential data file containing the personal information of one or more individuals on the internet.

• Loss

This refers to the accidental or inadvertent loss of personal information held by an entity, in circumstances where is it is likely to result in unauthorised access or disclosure.

For example, an employee of an entity leaves personal information (including hard copy documents, unsecured computer equipment, or portable storage devices containing personal information) on public transport.

The government provides an Privacy Management Plan template, which is as an excellent resource for your business. Click below to view.

Privacy Management Plan Template

Cyber Security around Privacy

Cyber Risks have quickly become one of the leading exposures to Australian businesses. The Australian Government estimates almost 700,000 businesses have experienced a cybercrime. Of these attacks, 60% were targeted at small to medium businesses with the average cost of a cybercrime attack being more than $275,000.

Despite these alarming statistics, there is still the attitude of “it won’t happen to me”. However, the evidence is mounting that is not a matter of “if” but “when”.

Losses can be extensive, especially when your customers’ personal information has been stolen. The cost of Crisis Management, notifying your customers, IT system remediation and recreation of lost data and extortion costs can add up very quickly.

Cyber Insurance has been around for a few years now and many Insurers have reduced the entry level cost for basic policies to help you if you are impacted. In fact, Cyber Policies can be purchased from as little as $300 per year.

When a Cyber Breach occurs, your Insurance Policy will be crucial in assisting you to deal with the incident and providing your business with cover for costs incurred when making a data breach notification.

Cyber & Privacy Protection Insurance can also provide protection for other exposures including:-

> System Damage: Can cover your IT Systems as well as lost data and also the cost of external IT Forensic and Security Consultant costs

> Business Interruption: Can cover loss of profits as a result of the attack

> Computer Virus & Hacking: Aims to provide cover for the liability arising from hackers and viruses (including the loss or theft of data) and also losses as a result of phishing emails or Denial of Service attacks.

It is crucial that all data is backed up regularly (and copies kept off site). It is also vitally important that appropriate virus / security protection is kept updated at all times.

Best Practices

We have covered this before, but now more than ever it is important to ensure you and your staff are taking appropriate action. Besides having in place a quality Cyber & Privacy Protection Insurance Policy, you need to ensure your organisation regularly informs all of your staff what to watch out for. Some examples include:

• Be wary of unsolicited phone calls. People can claim they are from your bank or other well-known organisations and can be very convincing. Do not give out information that the organisation calling you should already know. Fraudsters will often say there is a problem with your account, ask you to transfer money. They can even ask you to call a number you know and keep the phone line open so when you call back you are speaking to them.
  
  
• Always be very careful with your customers personal details and how this information is used or who it is provided to.
  
  
• Unsolicited emails may direct you to a link containing a virus – just one accidental click can bring an entire network down. Remind your staff that under no circumstances should these emails be opened, and if it does happen, it should be reported IMMEDIATELY. The sooner your IT firm is advised, the sooner the damage can be halted.
  
  
• All portable equipment (laptops, smartphones, iPads and the like) should be password protected/encrypted to protect sensitive information. When these items are lost, it is not only the property that has gone – the unsecured information could be much more costly.

What you need to do

• Ensure you have protocols that are followed by all staff at all times
• Should an attack happen, act immediately and contact your IT Provider 
• Be certain that you have a comprehensive Cyber & Privacy Protection Insurance Policy in place – if an attack happens, your Broker will be able to put you in contact with specialist firms that can assist you through the incident.

If you believe that this issue is relevant to your business, please feel free to contact Rebecca Fleming, Account Manager of our Travel Industry Division at Gow-Gates Insurance Brokers on (02) 8267 9919 or rfleming@gowates.com.au to discuss your circumstances or to obtain a quotation.

Gow-Gates Insurance Brokers advises that persons should not act on the material contained in this article as the items are of a general nature only and may be misinterpreted. We therefore recommend that advice be sought before acting in these areas.