The cost of a data breach
You may think that your business is an unlikely target for a data breach and that if it did happen it wouldn’t really matter because your business doesn’t really hold any valuable data anyway. However, with Australia’s mandatory data breach notification laws starting on 22 February 2018, you might be interested in finding out more about the costs of a typical breach as well as non-compliance.
A new report by Clyde & Co – “Preparing for Australia’s Mandatory Breach Notification Law: What does it mean for businesses” – found, after analysing 30 global data breaches, that legal costs, including privacy counsel, regulatory legal costs, investigation costs, etc. make up 41.2% of all costs of a data breach. Notification costs, e.g. identifying and notifying affected individuals made up 18.3% and forensic costs, including retaining IT and security experts to provide ongoing advice on the management of each breach made up 18.1%.
Converting this data across to Australian conditions, the report says “The costs of dealing with and responding to regulatory investigations is the most significant exposure for organisations (57.3 per cent), followed by legal costs associated with advising on privacy obligations and to manage compliance with these laws (33.8 per cent).”
So what exactly is a data breach?
It is personal information held by an organisation that is lost or subjected to unauthorised access or disclosure.
Do I have to notify of a data breach?
The law applies to all entities regulated under the Privacy Act, i.e. businesses with a turnover of more than $3 million, APP entities, i.e. organisations that hold personal or sensitive data, such as health service providers, credit reporting bodies, credit providers, entities trading in personal information and employee associations registered under the Fair Work (Registered Organisations) Act 2009. These entities will have to notify both the Australian Information Commissioner and affected individuals of an ‘eligible data breach’ if it is likely to result in serious harm to an individual i.e. serious risk of financial, economic or physical harm, even distress. As soon as you have ascertained whether the breach is going to be harmful you must notify the Office of the Australian Information Commissioner (OAIC) as well as the individuals who are ‘at risk’. If you do not notify in this instance you could find yourself facing a fine of up to $360,000 for individuals and $1.8 million for corporations.
What should I be doing now to prepare?
Become acquainted with what data is captured and where it is held within the organisation and what your legal and regulatory obligations are relating to that data.
It is essential for organisations to have incident response plans that incorporate the timeframe requirements provided for in the Data Notification Law (more information on this can be obtained from the OIAC’s website https://www.oaic.gov.au/).
Testing is recommended to establish an organisation’s readiness to deal with an incident. This includes staff training on being aware of the risk, which should not be underestimated. Of course, investment in IT security, resources and effective internal teams will most likely reduce the extent of an organisation’s vulnerability and improve their ability to respond.
Risk Management Tools
The benefit of risk management tools including insurance should be carefully considered and tailored to match the specific needs of an organisation. This includes assessing whether insurance should be used to support incident response, mitigate first party costs, protect against business interruption losses, and/or cover any third party risks an organisation is sensitive to.
Entities should also consider contracts and whether terms (including indemnities) can be used to assign responsibility and carve out liability when data breaches occur.
Organisations need to consider and carefully manage their internal reporting to boards and senior managers. Regulators seem to take a dim view of poor governance where security incidents occur, so it is crucial that organisations have appropriate mechanisms in place.
Our cyber insurance experts at Coverforce Leed Insurance Brokers can help you assess your business and give you advice on the different cyber insurance policies which might best suit your company and the range of protection these can provide. To find out more, please don’t hesitate to contact us or give us a call on 1300 881 464.