Historically there has been little motivation for Australian organisations to publicly disclose security incidents where sensitive personal and private data has been lost or stolen. But that changes in February 2018 when Australia’s new Data Notification Law (‘DNL’) comes into force. The law is intended to protect individuals at risk of harm from a data breach so that they can act to protect themselves if they are notified of a breach promptly.
This Cyber Research paper outlines the main points of the legislation that Australian businesses need to know and outlines the basic steps that they must take to prepare and manage the risks. In a nutshell, the DNL imposes a legal requirement on entities to provide notice to affected individuals and the relevant regulator when security incidents compromise protected information.
Fines can be severe – up to $340,000 for individuals and $1.8m for bodies corporate. But the real costs of a data breach can extend far higher into many millions of dollars lasting many years. They include incident management costs (incident response, legal costs and data forensic investigation), legal and notification costs (dealing with the regulator and affected individuals) and ongoing protective processes (such as credit monitoring and notification) for every affected individual whose personal data has been lost, for as long as is required. In the USA medium-sized data breaches involving the loss of 200,000 personal customer records cost affected companies an average of US$25m and took four years to close out.
Reputational damage emanating from a data breach is arguably greater still and hard to quantify. Ultimately boards and executives of an organisation that suffers a data breach will be held responsible. Organisations caught in the scope of the DNL include all Australian businesses turning over more than $3m annually and many smaller organisations that hold sensitive, customer or employee personal data. All Government bodies and agencies are affected.
Organisations cannot outsource accountability for their data and breaches by using offshore cloud service providers for storage. The Australian entity is deemed to be the holder of the data always, regardless of its physical location. Organisations need to prepare now for the impact of the Data Notification Law. Organisations must plan now and take the following steps to mitigate the risks:
- Know your data
- Assess your defences and preparedness
- Address data security operational gaps
- Formalise an Incident Response Plan
- Review policies and procedures
- Get guidance on the law
- Consider other risk mitigation tools such as cyber insurance
Email us for the full White Paper: [email protected]