New data breach laws mean high stakes for business

Businesses are being urged to prepare for the new Notifiable Data Breach scheme,  which is set to transform Australia’s cyber security and reporting landscape.

From 22 February 2018, all qualifying businesses will have a mandatory obligation to report eligible data breaches to the Office of the Australian Information Commissioner and any individuals who may be affected by a data breach.

The new rules have the potential to be a costly exercise for businesses of all sizes, with penalties of up to $360,000 for individuals and $1.8 million for organisations as per existing powers of the Privacy Commissioner.

The new rules apply to businesses who are subject to the Privacy Act. Most notably any organisation with a turnover greater than $3 million will be subject to the reporting requirements.^[1]

In addition, the changes require that all affected customers be notified of a breach and includes the requirement that suspected breaches be investigated within 30-days.

Perhaps most critically, if detection, reporting or notification of a data breach is handled poorly, it may also put the business’ reputation at stake by leaving customers and suppliers discouraged. 

What does it mean for business?

Businesses will need to ensure they have effective risk mitigation techniques in place to address the evolving threat of cybercrime, QBE specialist cyber underwriter Ben Richardson says.

“There’s no such thing as perfect security, but it’s never been more important for businesses to have an effective plan in place. That way if something does go wrong businesses will be ready to trigger their plan of action right away.”

The new regulations around reporting data breaches reinforce the need for all businesses to take a proactive approach to protecting business and IT systems.

“There’s a need to protect but also detect and respond to cyber threats and all this has to happen quickly,” Richardson says.

“Cyber security risks are constantly evolving and changing so it’s not possible to completely eradicate cyber exposure. That’s why it’s vital businesses avoid the set and forget mindset and continuously review and update their mitigation efforts,” he added.

SMEs under spotlight

Sixty per cent of small businesses who experience a significant cyber breach are out of business within the following six months, according to figures quoted by the Australian Small Business and Family Enterprise Ombudsman. ^[2]

Yet Telstra’s Cyber Security Report 2017 found thirty-three per cent of businesses with less than 100 employees don’t take proactive measures against cyber-security breaches.^[3]

Eighty-four per cent of Australian small and medium businesses are run online.^[4]  It’s therefore likely that in today’s connected landscape, almost all businesses will routinely collect customer data. 

For example, people are increasingly providing personal information to retailers to shop online or to gain rewards with almost three quarters of Australians signed up to a store loyalty program.^[5]

Small businesses which routinely collect personal data include childcare centres, gyms, general practitioners and pharmacies.

“It’s not just large organisations that will need to respond to the new mandatory reporting regulations, but the small end of town too,” says Richardson. “And prevention and planning will have the biggest impact on dealing with these threats.”

Talk to a local Agent today

At Elders Insurance we specialise in providing a range of unique business insurance packages designed to suit your specific circumstances. Whether you're running a business on your own, or you're part of a small to medium enterprise, we'll find a business cover that fits your needs. 

You'll always speak with a local Agent who will get to know you and your business, and will be on hand to provide you with the best cover and advice, whenever you need it.

You should ensure you obtain and consider the Product Disclosure Statement for the policy before you make any decision to acquire it. The information on this website has been prepared without taking into account your objectives, financial situation or needs.

Elders Insurance is underwritten by QBE Insurance (Australia) Limited ABN 78 003 191035 AFSL 239545.

[1] Part II, Section 6D of the Privacy Act 1988 

[2] Testimony of Dr. Jane LeClair, Chief Operating Officer, National Cybersecurity Institute at Excelsior College, before the U.S. House of Representatives Committee on Small Business (Apr. 22, 2015), docs.house.gov/meetings/SM/SM00/20150422/103276/HHRG-114-SM00-20150422-U4.pdf

[3] https://www.telstra.com.au/content/dam/tcom/business-enterprise/campaigns/pdf/cyber-security-whitepaper.pdf

[4] https://www.pmc.gov.au/resource-centre/cyber-security/australias-cyber-security-strategy

[5] https://www.oaic.gov.au/media-and-speeches/news/retailers-check-out-mandatory-data-breach-reporting-obligations-and-prepare-for-2018