What Mandatory Data Breach Notification Means for Australia
Breach Notification Bill Expected to Pass in 2017
Australia is currently on the receiving end of an estimated 10 million cyber attacks per year according to professional services firm, Deloitte. With such a large dragnet across Australian businesses it is inevitable that there will be some eye opening data breaches in the coming year and widespread change to company security procedures. We previously wrote about some of the largest data breaches and exposures of 2016 which indicated approximately 2.2 billion personal records were revealed to have been compromised from 2015 – 2016.
The proposed bill which has been passed by the lower house but is still yet to be introduced in the senate will make it a requirement to notify the Australian Information Commissioner and affected individuals if their privacy has been breached. With the exception of eHealth data breaches falling under the My Health Records Act 2012, mandatory data breach notification does not exist yet in Australia. The former Labor government’s Privacy Amendment (Privacy Alerts) Bill 2013 received bipartisan support to introduce such a scheme, but did not pass the parliament before the 2013 election.
Most government agencies, businesses with an annual turnover in excess of $3 million, as well as a number of smaller organisations, such as those handling sensitive health data are all currently subject to Privacy Act obligations.
Official summary of the bill below:
“Privacy Amendment (Notifiable Data Breaches) Bill 2016 implements recommendations of the Parliamentary Joint Committee on Intelligence and Security’s Advisory report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014 and the Australian Law Reform Commission’s report For Your Information: Australian Privacy Law and Practice by amending the Privacy Act 1988 to require agencies, organisations and certain other entities to provide notice to the Australian Information Commissioner and affected individuals of an eligible data breach.”
Help protect your business with cyber insurance.
Mandatory Breach Notification Laws Abroad
Today, approximately 90 countries have data protection laws or relevant court rulings – ranging from Angola and Argentina to Venezuela and Zimbabwe but many of those countries still don’t require breached organizations to notify either authorities or the individuals whose personal information was exposed in the event of a breach.
At the time of writing, 47 states, three U.S territories and Washington D.C. have adopted breach notification laws of varying requirements for organisations. In the past any attempts to replace them with a standard federal law have struggled due in part because some changes would have weakened some states current security approach.
The European Union’s General Data Protection Regulation, which will go into effect May 2018, includes multiple privacy provisions, including mandatory breach notification. The EU regulation is expected to serve as a model for other countries as global awareness spreads.
India has also weighed in to the global discussion with privacy practitioners stating they may not be ready for mandatory breach notifications as it lacks the strict regulatory enforcement and the country is still making amendments to it’s Right to Privacy Bill 2014. The EU’s GDPR will be especially relevant to the Indian IT industry as it caters to U.S.-based enterprises and processes personal data of EU, Australian and New Zealand citizens.
“It will also significantly increase compliance costs for service providers – which are already higher when serving EU-based clients, as compared with markets like USA,” “However, GDPR also may remove any misgivings about the Indian industry and data security standards in India, says Mumbai-based Sunder Krishnan, chief risk officer, Reliance Life Insurance Company Ltd.
Legal Problems
Some warn that when the bill is passed there will be very similar problems facing businesses as is seen currently in the United States. Data breaches frequently lead to identity theft and financial losses, the victims of which may qualify for a lawsuit. On the other hand, organisations which don’t report their breaches face a range of penalties including fines of $340,000 for individuals and up to $1.7 million for companies.
Social media has also increased the pressure being put onto businesses as we are seeing unprecedented public customer service complaints causing reputation and public relations nightmares. Expect to see disgruntled customers rallying together using social media after future data breaches.
Class action lawsuits are being enabled by the online connectivity of claimants and are costing organisations millions. Below are a few high profile data breach settlements from Classaction.com
- Home Depot (affected 50 million cardholders): $19.5 million settlement
- Sony (PlayStation network breach): $15 million
- Target: $10 million
- Sony (employee information breach): $8 million
- Stanford University Hospital and Clinics: $4.1 million
- AvMed Inc.: $3.1 million
- Vendini: $3 million
- Ashley Madison: $1.6 million
- LinkedIn: $1.25 million
Companies much prefer settling cases out of court to going to trial. But that is especially true for data breach lawsuits, because there is almost no court precedent for these kinds of cases.
Companies like Home Depot and Sony have no idea what would happen if they went to trial to fight a data breach suit, which is a scary prospect.
Insuring Against the Risk
Many Australian insurance providers have already put policies in place to respond and cover expenses from a data breach. We recently wrote in detail about where cyber insurance steps in, which can be found here. Expenses which are typically covered are;
Forensic Investigation
A forensic IT investigation is necessary to determine what occurred, how to repair the damage and how to prevent the same type of breach. Investigation may involve services from a third party security firm or law enforcement.
Business Interruption
The business may be unable to continue trading and suffer interruption costs due to network security failure or attack, programming errors or human errors. Loss of profits and costs incurred to continue business as usual are typically covered under a cyber insurance policy.
Legal & Public Relations
Cyber Insurance policies will cover legal defence costs due to a privacy breach, fines and penalties, reputational damage and public relations expenses to assist an organisations public image after a breach.
Extortion & Blackmail Costs
Policies will cover ransomware & extortion costs from criminal organisations and disgruntled employees for the release or protection of private information.
Moving Forward
Mandatory breach notification is the best step forward but it also relies heavily on organisations actually discovering they have been exposed. In recent reports, numerous websites such as Linkedin, Myspace and of course, Yahoo have suffered very high profile breaches which occurred up to 4 years ago and were only discovered years later.
Many large industry groups including Google, Yahoo, Facebook and Microsoft are stating that the existing voluntary breach notification scheme is effective and doesn’t require change. Despite their support and mixed reception from the private sector, security experts and business leaders from various industries are getting behind the bill and arguing it’s benefits.
The OAIC annual reports from 2014 – 2015 & 2015 – 2016 are unable to provide enough depth from voluntary reporting which indicates the need for mandatory laws to be passed. It is likely that the larger industry groups are protecting their interests and understand the ramifications of mandatory breach notification from their legal departments abroad.
Help protect your business with cyber insurance.
It looks inevitable that the bill will be passed and the public understanding of what is happening to their personal information will continue to increase.
Arranging an insurance policy, educating employees and instituting solid security processes will be key to mitigating this risk.