|Should you be concerned?
|What is it?
|Under the Notifiable Data Breaches (NDB) Privacy Act 1988, entities in Australia have data breach notification obligations when a data breach is likely to result in serious harm to any individuals whose personal information is involved such as:
• unauthorised access of personal information
• unauthorised disclosure whether intentionally or unintentionally
• loss refers to the accidental or inadvertent loss of personal information
|Organisations with annual turnover of $3m+
(there are some exceptions)
|What information is covered under the Act?
|• ‘sensitive information’ such as information about an individual’s health
• documents used for identity fraud (including Medicare card, driver licence, and passport details)
• financial information
• a combination of types of personal information that allows more to be known about the individuals
|When does it start?
22 February 2018
|What are the fines if a data breach occurs and the required steps are not taken?
|Up to $1.7m
|How can I mitigate the risk of a data breach?
|• train employees, install robust processes and controls
• enhance cyber security
• have a Breach Response Plan
• have insurance in place
|What do you need to do if a data breach occurs?
|• remediate (Breach Response Plan)
• comply with Act including notifying the Regulator if required within 30 days
• notify your insurance provider (if you have cover)
|What if I also operate offshore?
|The US or EU have separate and often more stringent data breach regulations that will need consideration
The link to the regulator (Office of the Australian Information Commissioner) is worth a visit:
At the end of the day, insurance will not stop a data breach, but it will lessen the financial burden of (a) cost of notifications and meeting the requirements of the Act, and (b) any potential regulatory fines or penalties.
Even with protections and systems in place to stop a data breach, to some extent it is a matter of “when”, not “if”. The most common data breaches are often due to actions of your own employees through phishing emails and unintentional release of information. We see this regularly within our own customers.
In the case of a data breach – large or small – the question is can you afford the notification and internal costs as well as possible fines?
If the answer is no, then a robust cyber liability policy is a must.
The health warning here is that there is considerable variation in cyber liability policies cover. This need to be worked through carefully.
Feel free to contact us speak with us at any stage.