New Data Privacy Legislation – Introduction of mandatory data breach notification

15 Feb 2018

A collective chill scuttled across the nation in late 2017 when the Australian Cyber Security Centre’s latest Threat Report assessed the risk of cyber compromise as “high” for local organisations.

It had already recorded a 15 per cent increase in cyber incidents in the previous 12 months – rising to 47,000 – with 56 per cent of the incidents affecting industry rather than the public sector. But only 58 per cent of those incidents were self-reported; the ACSC identified the remainder itself.

This apparently relaxed approach to cyber compromise is about to face its biggest challenge ever with the introduction of mandatory data breach notification for companies when they endure a serious compromise. And companies will have just 30 days to alert the authorities. Under the Privacy Act, there is some leeway for organisations that turn over less than $3 million per year; however any organisation that holds potentially harmful information is not exempt.

Having a current, tested cyber incident identification and response plan which allocates responsibilities, expedites notification and remediation, and leverages appropriate cyber insurance coverage is essential in this emerging era of mandated notification.

Certainly the threat of data breach is not declining; attacks on personal identifiable information and the use of credential harvesting malware are on the rise according to the ACSC’s threat report.

The ACSC report also noted that managed service providers – which might deliver cloud computing services or outsourced information systems – are also being targeted as a way to access customer data. Companies cannot outsource their breach notification obligations, but instead need to ensure that they are aware of where their data reserves are held, and have systems in place to expedite breach notification and systems remediation regardless of the location of data.

With the clock ticking for the Australian data breach notification, business both large and small need to immediately assess their exposure, risk mitigation opportunities, processes and procedures to ensure they can respond to the notification schedules in Australia.

Six steps to preparing for breach notification

  1. Get across the detail of the legislation and implications for your organisation.
  2. Understand what data you have, where and how it is stored – review and test your existing systems for managing and storing data and ensure they are compliant/robust.
  3. Ensure you have a plan on how to address the legislation. This plan should be integrated with your cyber risk plan, cyber incident response plan and overall crisis management and business continuity plan.
  4. Consider implementing the Australian Signals Directorate’s Essential Eight guidelines for cyber-attack mitigation and incident management.
  5. Communicate the plan with key leaders across the organisation and get their buy in and educate employees.
  6. Do any work required to prepare for legislation and review your current insurance arrangements with your broker to ensure you have adequate insurance and a response team at the ready.

To find out more on the new privacy legislation or to learn more about Cyber Liability Insurance contact visit cover, email or call Aon on 1300 734 274.

* Conditions apply. Price dependant on exposure risk and selected limits. For full policy wording please contact 1800 805 191. © 2017 Aon Risk Services Australia Limited | ABN 17 000 434 720 | AFSL 241141. This information is general in nature and should not be relied on as advice (personal or otherwise) because your personal needs, objectives and financial situation have not been considered. So before deciding whether a particular product is right for you, please consider the relevant Product Disclosure Statement or contact us to speak to an adviser.

Originally published by Aon

Leave a Reply