Cyber Law in Australia- Data Breaches & Insurance (Thomas Miller Law -Sydney)

Although cyber insurance has been around in the US since the early 2000’s it is still relatively new in Australia, although growing more relevant and vital by the mouse click. The Australian answer to the increasing risks faced by individuals and businesses is the Privacy Amendment (Notifiable Data Breaches) Bill 2016, which was passed in February this year. Once given assent the Act will impose stricter obligations on businesses considered to be ‘regulated entities’ in accordance with the Act. Such businesses will include: businesses with an annual turnover of more than A$3 million, health service providers, credit reporting bodies, credit providers and tax file number recipients.

Such obligations were mandated to reiterate the importance of guarding sensitive and personal information that is held on computers, and how companies must not become complacent to such obligations. 

The new law will amend the Privacy Act 1988 and will require the relevant entities to report data breaches to affected individuals if those breaches are likely to result in serious harm.

Companies will be obligated to undertake forensic investigations as well as notify affected customers if there has been an ‘eligible data breach’. A breach will constitute unauthorised disclosures of personal information, access to personal information, and/or unauthorised losses of personal information, if a reasonable person would consider that breach likely to result in serious harm to those affected.

When deciding what might constitute ‘serious harm’ it is most likely that a court will look at what, if any, risk management procedures were in place, what kind of harm has resulted, as well as the type of information that has been compromised.

In the case of a serious data breach the Privacy Commissioner and individuals affected must be made aware of the breach as soon as is practicable. Notices in newspapers, online or in other public forums would be sufficient in such circumstances, and also provides further incentives for companies to comply with legislation. Such notifications will need to include details of the breach including a description and the relevant organisations that might have been affected. An outline of recommendations should also be outlined to the affected parties. The Privacy Commissioner will also have the power to impose penalties in line with existing powers. 

Such new obligations have the potential of imposing significant costs on Australian businesses, especially if uninsured for such costs and or losses.

Current policies can be obtained to cover the costs incurred in forensic investigations, asset repair or rectifications, business interruptions as well as extortion costs. To be considered for cover the insurer will require evidence that a robust system of internal risk management is in place, in line with the expected obligations to be imposed with the incoming laws. Underwriters will therefore look favourably on those companies with well- established and thought out cyber security processes.

For further information; please contact our Australian legal team https://tmlawltd.com/our-people/australia/

TM Law Sydney