Almost every business is dependent on their critical data. Unfortunately, data breaches are becoming increasingly common and threaten both corporate and small to medium enterprises (SMEs). If that data enters the public domain there is potential for significant losses through compensation, fines, or business interruption. It is estimated that data breaches and sophisticated cyber-attacks cost the Australian economy over $1 billion annually and they are now considered one of the top emerging risks for business.
Mandatory Breach Notification legislation has passed through Federal Parliament. The newly-passed law means organisations that determine they have been breached, or have lost data, will need to report the incident to the Privacy Commissioner and notify affected customers as soon as they become aware of the breach. Those that fail to notify face penalties including fines of $360,000 for individuals and $1.8 million for organisations.
What constitutes a privacy breach?
The legislation considers a serious breach to have occurred when there is unauthorised access to, disclosure or loss of customer information held by an entity, which generates a real risk of serious harm to individuals involved. Such information includes personal details, credit reporting information, credit eligibility information, and tax file number information.
The bill gives the example of when an entity becomes aware that it has “mistakenly emailed the information of one individual to another individual, asks the second individual to delete the information without using or disclosing it, and is confident that the second individual has complied with that request”.
It also uses the examples of when a lost or stolen device has been remotely wiped before its content can be accessed, or when a device is left in a taxi and the individual can be certain the driver did not access the device.
Improving Cyber Resilience
Cyber resilience is the ability to prepare for, respond to and recover from a cyber attack. The Australian Securities & Investments Commission (ASIC) considers cyber resilience to be a corporate governance matter. Resilience is more than just preventing or responding to an attack – it also takes into account the ability to adapt and recover from such an event.
At a board or senior management level, you are encouraged to frequently review the cyber risks you face. You will need to assess what information, data or operational assets are essential to your business. This may include intellectual property, people or personnel information, financial information, trade secrets, strategic assets, or information. As part of your assessment, it is useful to maintain an up-to-date inventory of all systems, software and information assets (internal and external), catalogued according to the level of risk exposure associated with each. Because cyber risks evolve and change over time and this will require ongoing monitoring and assessment.
Cyber risks can also arise from within your business and you may want to review how well informed your staff are of your policies and procedures, as well as, encourage good practices for cyber risk management. Good practices can include:
- using strong passwords and changing them periodically
- logging out of systems when they are not in use, particularly when using remote access
- raising awareness of the types of cyber-attacks that may occur and how to report them
Depending on the nature and complexity of your business, you might also consider having a data breach response plan in place to help you manage a data breach. This will provide a framework for managing an appropriate response to a data breach, as well as describing the steps involved in managing a breach if one occurs. You should also consider any obligations that you may have under privacy law. The Office of the Australian Information Commissioner (OAIC) provides resources to assist you to prepare and implement a data breach policy and response plan.
Have you considered Cyber Liability Insurance?
Cyber Liability Insurance covers your business against the expenses and legal costs associated with data breaches. The cover provided by Cyber Liability policies can be quite broad and may cover the following costs:
- business interruption
- forensic investigations
- data recovery
- losses due to threat of extortion
- crisis management
Considering cyber insurance may be an appropriate business decision based on your industry, size, and level of exposure.
Further resources on Cyber Resilience are available from ASIC: https://asic.gov.au/regulatory-resources/digital-transformation/cyber-resilience/