New reporting rule forces data breaches into open
Businesses will be required to report data breaches under Privacy Act amendments passed by Federal Parliament last week, raising the stakes for cyber risk management.
Federal agencies, companies and non-profits with annual turnover of $3 million or more will have to notify the Office of the Australian Information Commissioner of breaches, and alert affected individuals.
At present organisations are encouraged to notify the office, but there is no legal obligation. Under the rules passed last week, penalties will include fines of up to $360,000 for individuals and up to $1.8 million for organisations.
Aon National Practice Leader Cyber Risk Fergus Brooks says the amendments are a “game-changer”.
“These financial implications will require a systematic change of attitude for many organisations, and conversations around cyber risks and data security need to be elevated to boardroom level,” he said.
“The new law will come into effect within a year. However, we recommend that organisations start preparing now.”
Costs arising from breaches can include business interruption, incident response, third party claims, legal costs and damage to data.
Barry.Nilsson Lawyers says the Privacy Act amendments signal a new era of transparency and corporate responsibility, and bring into focus the regulatory, reputational and other potential costs associated with breaches.
“Mandatory notification will bring our laws into line with those of other first-world countries and drag serious Aussie breach events out of the shadows and into the light of public scrutiny for the very first time,” Insurance and Health Group Special Counsel Megan O’Rourke said.
She says insurers and brokers should educate themselves on the requirements and the consequences from an underwriting and claims management perspective.