Mandatory breach notification: one month on

Mandatory breach notification: one month on | Insurance Business

Mandatory breach notification: one month on

In the short time since the late February rollout of Australia’s mandatory breach notification scheme, the privacy commissioner has already been notified of 31 breaches, an Aon expert has said.

Fergus Brooks, cyber risk practice leader at Aon Australia, said that statistics released by the privacy commissioner last week highlight the impact mandatory breach notification has already had - but businesses still need to do more work.

“I think what I have seen is an increased level of awareness and concern with people really asking the questions now: what should we do, what is the problem, what does the legislation actually mean? It hasn’t necessarily led to an immediate uptake in business, but I am certainly kept busy in terms of helping people to understand where their liabilities lie,” Brooks told Insurance Business.

With figures amounting to almost one notified breach a day, Brooks said that Australia’s cyber environment is well on its way to becoming comparable to the United States, and Australian businesses should look to the region as a guide.

“I think Australian companies, we certainly should be looking at the US not necessarily as a role model, but this is a future we can anticipate and we should be prepared accordingly,” Brooks said.

Shipping company Svitzer was the first publicised data breach following the enactment of the new scheme, as the firm announced that it had suffered a data breach earlier this month, as reported by ABC. While the privacy commissioner has no obligation to go public following a reported data breach, it is only a matter of time before more breaches become public as affected customers are notified. As such, Brooks noted that planning and preparation remain as important as ever.

“The only way to reduce damage to brand and reputation from a cyber incident, is to handle it well,” Brooks said. “That reduces all of your problems.

“In terms of incident response planning, and I think this is the most critical thing, if you have a plan and you do have a data breach then notification will be a no-brainer so you are not going to fall foul of the privacy commissioner.”

Brooks recommended that brokers and the clients they represent look to a new guide, recently published by the privacy commissioner, which gives an idea of who is covered by the new legislation, the best ways to plan and respond to a breach and how to avoid fines and penalties from the commissioner.

“If an organisation is looking seriously at incident response planning and reading the excellent guide the privacy commissioner has put out and is acting on them, then they are in a much better position than the people doing the emu with their head in the sand,” he said.

 

Related stories: