Intuitive Insurance Articles

Cover your costs: privacy breach notification and cyber liability

According to the Ponemon Institute’s 2015 Cost of Data Breach Study, the average per capita cost of data breach in the United States is $217, while the average total organisational cost is $6.5 million. Comparatively, in Australia, the draft Regulation Impact Statement cited the average cost of notification at $70,000, while the total cost of a data breach is typically upwards of $2.82 million. While this is significantly lower than the cost of data breach in the United States, the economic impact of data breach for Australian businesses carries substantial weight.

In light of the Federal Government’s Notifiable Data Breaches Bill passed through the Senate this week introducing a mandatory data breach notification scheme, we consider how these laws will affect your business and the role of insurance in reducing the cost of a data breach.

How will the new Bill affect my business?

Generally, breach notification laws require companies that store personal information to notify affected individuals in the event that the confidentiality of that information is breached or suspected to have been breached. According to the new legislation, a data breach constitutes any incident “where there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals, or where such information is lost in circumstances that are likely to give rise to unauthorised access or disclosure”.

The three main causes of a data breach, according to the Ponemon Institute, an independent research company headquartered in Michigan, include a malicious or criminal attack, system glitch, or human error. However, the Bill defines a breach to be “not limited to malicious actions”, and includes lost or stolen laptops or removable devices, paper records that have been misplaced or stolen, and emails sent with sensitive data to the wrong person.

The Bill, set to come into effect at a yet unspecified date over the next 12 months, will amend the Privacy Act 1988, and will apply to all Australian companies that turnover more than $3 million per annum. Once the provisions become law, such companies, approximately 6 percent of registered Australian businesses, will have an obligation to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals in the event of an “eligible data breach” with respect to the information that the company holds on those individuals.

The new legislation defines the term “eligible data breaches” for where a “reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals as a result of the unauthorised access or disclosure”. Thus, affected companies will need to put in place processes that allow them to determine when a breach has occurred, whether the data breach is an “eligible data breach” under the Bill, and whether they have a notification duty with respect to that breach.

Under the Bill, companies must now carry out a reasonable and expeditious assessment of whether there are plausible grounds to believe that the relevant circumstances amount to an eligible data breach within 30 days of the entity becoming aware of the breach. Failure to do so will be taken to be an interference with the privacy of an individual, constituting a breach of the Privacy Act. What’s more, if that failure amounts to a serious or repeated interference with the privacy of an individual, it will violate the civil penalty provision of the Privacy Act, exposing the company to fines in effect of $1.8 million.

According to cyber security expert at Sense of Security, Michael McKinnon, this new legislation means that “the stakes are a lot higher now; businesses will have to take care and apply due diligence when it comes to storing customer data”. Companies need to be aware that responsibility now falls to them, and as such they need to have the right measures in place.

Insuring your privacy breach notification costs

According to Graeme Newman, Chief Innovation Officer at CFC Underwriting, data breach is the number one reason why people buy cyber insurance. It is therefore not surprising that there are ample positive consequences that can result from insurance protection.

Typically, cyber liability covers clients for breach notification services. This may include providing a forensic investigation team to look into the source and scale of a breach, providing legal advice in terms of drafting notification letters and covering the cost involved in printing and posting those letters, and providing credit monitoring services. Cyber liability policies may also cover public relations costs, ransom payments, and business interruption losses. Third party liability is also generally provided, covering claims made by affected third parties.

As cyber risk rises to a top-of-the-list issue for the Federal Government with the introduction of the national mandatory data breach notification scheme, so too should it be a top priority for Australian businesses and organisations; and not only those legally obligated to notify the Privacy Commissioner under the new legislation. Cyber prevention and response should be an integral part of an entity’s risk management program, part of which includes cyber insurance.

Today, businesses are increasingly reliant on technology and as such, are more exposed to cyber risks. To learn more about the cyber threat landscape and whether obtaining a cyber liability policy is appropriate to manage your cyber risks please drop us a comment, email, or call Intuitive on (02) 9493 6111. We’d love to hear from you!

Drop a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.