Mandatory data breach notification laws within Australia came into effect on 22nd February, 2018 and with new regulations come new challenges for Australian business owners and employees surrounding information security and data breach response. Many organisations are facing regular scams and cyber attacks from criminals using sophisticated methods. Claims data reflects a majority of incidents stemming from a lack of employee security awareness within the business.
As of February 22nd organisations will be required to conduct an assessment of whether an eligible data breach occurred within 30 days of becoming aware that a suspected breach has occurred. If that organisation has evidence to believe that there has been an eligible breach, it must notify The Office of the Australian Information Commissioner as soon as they are able to do so.
Responding to an attack or breach can be extremely costly as business interruption expenses escalate quickly. The average time for an Australian SME organisation to resolve a data breach or attack is 23 days. Could your business continue trading without access to client information, websites, ordering or payment processing systems? We recommend performing a precautionary third party cyber risk review as soon as practicable.
Tips For Data Breach Response
The tips below are from a recent article by Reece Corbett-Wilkins, Associate at Norton Rose Fulbright from Insurance Law Tomorrow , which highlights five important steps to take before & after a data breach.
- Develop and test internal response processes to ensure that potentially notifiable incidents are identified and reported to the legal / risk management function as early as possible. Valuable time can be lost in this initial phase.
- Seek the assistance of external legal counsel and other service providers, where appropriate, to limit the potential exposure following an incident. External providers can advise organisations on whether remedial action can be taken to avoid the risk of harm from eventuating, which may remove the need to notify affected individuals and the Privacy Commissioner.
- Although affected individuals and the Privacy Commissioner must be notified where required, organisations and agencies should not adopt a strategy of notifying all incidents as a matter of course. This is not the intention of the legislation and will cause notification fatigue. On the other hand, organisations and agencies should have a sound legal basis for not notifying, after having received external legal advice where appropriate.
- Where an organisation or agency chooses to notify, the notification campaign should be well structured to monitor post notification liability risk from affected individuals, stakeholders and regulators. Organisations and agencies should manage their ongoing regulatory and claims risk post notification.
- Notify insurers as soon as possible and obtain consent from insurers before taking any key steps or incurring costs. This will ensure that cover is not jeopardised due to late notification.
How will insurers respond?
Cyber insurance providers in Australia have a panel of experts assembled to resolve your particular incident quickly and cost effectively. Assistance is available 24/7 as insurance providers understand the importance of immediately rectifying the issue and returning to business as usual. These experts consist of incident response IT investigators, forensic accountants, lawyers, public relations and crisis management consultants. Working with a team of specialists to manage the notification process helps reduce unnecessary downtime and expenses.
Dedicated claims specialists will be assigned and should regularly communicate with you to investigate and manage the situation from start to finish.
Many insurers and brokers can assist with data breach response plans however individual organisations should prepare and test a plan catering to their operational nuances. We recommend keeping a physical copy of your incident response plan on hand as past attacks have seen plans and procedures stored on the network become encrypted and inaccessible.
For more information about the notifiable data breach scheme, data breach response planning, eligible data breaches and resources, take a look at The Office of the Australian Information Commissioner website.
Cyber insurance is a cost effective way to mitigate the expenses of data breach response.
Contact Cyber Insurance Australia today for a review of your existing insurance policies and a competitive quote.
You might also enjoy reading