The Australian Government’s Notifiable Data Breaches scheme came into force on 22 February 2018. It requires any organisation regulated by the Australian Privacy Act to notify individuals affected by a data breach that is likely to cause them serious harm, and also to notify the Australian Information Commissioner.
It’s generally acknowledged that, no matter how diligent an organisation and how stringent its security practices, data breaches are inevitable. So every organisation needs to be well prepared for this inevitability in order to minimise damage.
Australian Notifiable Data Breaches scheme
- which agencies and organisations have obligations under the scheme, including in instances where multiple parties are affected by an eligible data breach
- how to identify an eligible data breach
- exceptions to notification obligations
- how to notify affected individuals and the Commissioner
- the role of the OAIC in the scheme
The OAIC says it has updated its Data breach notification — a guide to handling personal information security breaches and its Guide to developing a data breach response plan resources to develop a comprehensive guide to data breach management responsibilities and best practice.
The new regulations provide for the imposition of fines of up to 10,000 penalty units — equating to $2.1 million — for breaches of legislation, but that could be the smallest component of the total cost.
For several years USbased Ponemon Institute has conducted annual surveys of the cost of data breaches suffered by companies in Australia. The report published in June 2017 found the average total cost for companies surveyed to be $2.51m.
Ponemon’s figures for a similar study in the US, where regulation and legal action following data breaches are plentiful, are much higher: $US7.35m ($A9.1m).
In 2017 Ponemon Institute benchmarked Australian companies and found the average cost of a data breach to be $2.51m in 2017. In the US the figure was $A9.1m.
Unlike the Australian Notifiable Data Breaches scheme, in the US there are no specific penalties for a data breach. However, there is plenty of legislation that creates ample scope for civil actions to penalise organisations that lose data.
According to a legal website, in recent years the United States has been a leader in the global data privacy and security regulatory arena but privacy and data security mandates are promulgated at federal, state and local levels and violations generally lead to civil, not criminal, penalties.
Also, there were no breaches included in which the number of records stolen exceeded 70,000 penalty units. Ponemon specifically excluded breaches in excess of 100,000 penalty units, saying they were not representative of the breaches suffered by most organisations and would have skewed the results.
One avenue of protection against the cost of a data breach is cyber insurance, and as specialist insurance broker points out, the benefits of this can extend beyond financial compensation for damage suffered.
Its website lists the potential benefits of a cyber insurance policy as including: access to the insurer’s response team, assistance investigating and resolving data security, on the obligation to notify and on drafting the notification, legal and public relations support.