Cyber breach transparency critical after hacks
Companies hacked by cyber criminals should inform their customers even if they’re not legally obliged to do so, a webinar for insurance brokers has been told.
“The cost involved is not burdensome, and notifying customers could prevent further harm,” Sparke Helmore Lawyers consultant Colin Pausey says.
The event was hosted by cyber specialists Emergence Insurance.
Australia’s notifiable breaches data scheme came into effect in February last year and is overseen by the Office of the Australian Information Commissioner.
But Mr Pausey says companies hold other vital client information that is not subject to the notifiable breach scheme, and reputational damage could be significantly greater if businesses did not inform customers whose information may be at risk.
Organisations should look to Australian Privacy Principle 11 (APP 11) as a guide on their duty of care to protect information, he suggests.
“There’s no automatic liability, but you can mount a defence if you’ve taken reasonable steps, consistent with APP11,” he told the webinar. “You can be negligent if your conduct falls below a standard that can reasonably be expected.”
APP11 requires organisations to take reasonable steps to protect information they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure.
Staff training was also highlighted at the webinar as an important mitigation defence.
“Your staff are your last line of defence,” Emergence National Head of Sales Gerry Power said.
“Analysis of claims within Emergence’s portfolio shows claims costs are three times higher than average for clients that have no written procedures for their staff.”