New Privacy legislation – time to get your data protocols in place

June 6, 2017
| Australia

The Privacy Amendment (Notifiable Data Breaches) Act 2017 has created a new reporting obligation for companies when an ‘eligible data breach’ occurs and your company needs to prepare.

With the growing risk of cyber crime, data privacy measures have become a major focus. Within 12 months, Australian companies who are regulated by the Privacy Act (which generally excludes those with an annual turnover of $3 million or less) will have to comply with this new legislation. It means, for the first time, some companies will be obliged to notify the Office of the Australian Information Commissioner and affected individuals, of data breaches.

What is an ‘eligible data breach’?

An ‘eligible data breach’ occurs when there is an unauthorised loss of personal information that is likely to result in serious harm to any individual to whom the information relates.

You should know that these breaches are not limited to malicious actions such as hacking, but could also arise from a failure to follow your company’s own in-house information-handling protocols.

What do you need to do if this occurs?

If you realise that your company has been breached or lost data, you will now have to report the incident to the Privacy Commissioner and notify affected customers as soon as you become aware. Also, if there is a reasonable suspicion of an eligible breach, your company must take steps to carry out a ‘reasonable and expeditious assessment’, within 30 days of becoming aware of it.

Penalties are severe: failure to report could result in fines of $300,000 for an individual (another important consideration for directors and officers) and $1.8 million for companies. There is also a significant reputational risk with unlimited potential for adverse publicity, along with continuous disclosure requirements for publicly-listed companies.

How can we prepare?

You must now put protocols in place that will allow a quick assessment of when a data breach has occurred, whether it is an ‘eligible data breach’ and determine if there is a notification obligation.

Looking at risk transfer is prudent. These new requirements are likely to result in more notifications of potential and actual claims under Directors’ & Officers’ Liability Insurance, as well as increased necessity for Cyber Liability insurance.

We continue to see insurers offering expanded solutions through specific Cyber Liability insurance. Indeed, some insurers who have been offering this class of insurance for some time are now creating a second generation of policy wordings that offer broader coverage in order to differentiate themselves in a crowded market. This is good news – policy coverage is broadening and premiums remain competitive.

Talk to your insurance broker about the risk transfer options that can be put in place to assist in the protection of your cyber liability exposures, including the provision of crisis management costs and reputation protection costs in the event of a cyber event. Our contact details can be found on the right hand side of this page.

Related solutions

Contact us