Cyber breaches: companies urged to go above and beyond
Companies should look beyond compulsory data breach reporting requirements to help mitigate potential reputational damage from cyber attacks.
Sparke Helmore Lawyers consultant Colin Pausey says organisations should ensure they inform customers if they are hacked, and should look to Australian Privacy Principle 11 (APP 11) as a guide on their duty of care to protect information.
“There’s no automatic liability, but you can mount a defence if you’ve taken reasonable steps, consistent with APP11,” he told a webinar for insurance brokers hosted by Emergence Insurance. “You can be negligent if your conduct falls below a standard that can reasonably be expected.”
AP11 requires organisations to take reasonable steps to protection information they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure.
Australia’s notifiable breaches data scheme came into effect in February last year and is overseen by the Office of the Australian Information Commissioner.
But Mr Pausey says companies hold other vital client information that is not subject to the notifiable breach scheme, and reputational damage could be significantly greater if businesses did not inform customers whose information may be at risk.
“The cost involved is not burdensome, and notifying customers could prevent further harm,” he said.
Malicious or criminal attacks were the largest source of data breaches in the June quarter, with the health and finance sectors the most targeted, according to the most recent figures from the Office of the Australian Information Commissioner. The office has since moved to six-monthly reporting.
One in three breaches were caused by compromised credentials, with login and password information used to gain unauthorised access to personal information.
Emergence National Head of Sales Gerry Power says it is important to be honest and transparent if a hack occurs.
“Give your customers the ability to take preventive steps,” he said.
Staff training was also highlighted at the webinar as an important mitigation defence.