On 22 February 2018 the Privacy Amendment (Notifiable Data Breaches) Act 2017 came into effect. The new law establishes that organisations that suffer an eligible data breach must notify affected individuals and the Office of the Australian Information Commissioner (OAIC).
An eligible data breach is a breach which triggers notification obligations and is likely to result in serious harm to any of the individuals to whom the information relates. A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure.
The Notifiable Data Breaches (NDB) Scheme makes it compulsory for businesses with at least $3m annual turnover to report breaches to affected individuals and the OAIC. However, there are exceptions such as health service providers, credit reporting agencies and subsidiaries of companies with a turnover of more than $3m, amongst other.
This Amendment makes it important for companies and individuals to establish whether the new laws apply to their particular activities.
Organisations that fail to keep data secure and don’t take the prescribed steps under NDB legislation can be fined up to $2.1m before an affected individual even considers taking legal action. The civil penalties could end up costing a business much more.
For the first twelve months there will be a grace period where it is unlikely, but not impossible, that an organization would face penalties for failure to notify breaches to OAIC.
Apparently some listed companies expect cyber risk to rise over the next year but few are confident that they can detect, respond and manage an intrusion into their computer systems. However it isn’t only the large corporations and multi nationals that have a problem with mistakes, unauthorized access to their systems and hackers, but small to medium and mum and dad businesses are also at risk and maybe more so, as they would not necessarily have the sophisticated expensive computer security in place that the larger organisations employ.
Overseas class action law suits are already occurring as a result of data breaches so it could be only a matter of time before Australian Courts start seeing a similar pattern. Cyber Event remediation is expensive and the cost could increase now that the Notifiable Data Breaches (NDB) scheme is in operation.
In the event that a company is sued for a data breach which may have affected a company or individual monetarily or caused personal embarrassment or anxiety the right cyber insurance policy can recoup losses associated with the breach, including providing response costs, protecting revenue stream and defending against third party legal action.
In Australia the Insurance Industry recognizes the need for cover for the ever increasing risk of cyber-crime and our professional staff at Peter Vickers Insurance Brokers can offer cover to businesses and individuals that depend on the security of their data systems.