The threat of Cybercrime

According to research commissioned by the Australian Government, at least 33% of businesses have experienced cybercrime, with 60% of those affected being small and medium businesses. According to the Australia Cyber Security Centre’s (ACSC) Threat Report 2017, the frequency, scale, sophistication and severity of cyber incidents have all increased. Indeed, many businesses don’t even realise that there’s been a breach.

Big names breached

In recent years, there have been a series of highly publicised, large-scale breaches of cybersecurity – Australian Red Cross Blood Service, Uber and Equifax, to name a few. Coupled with these breaches were attempts by some of the affected companies to conceal the scale of the breaches, or even the breaches themselves, from both consumers and regulators. In light of these incidents, the Australian Government passed new mandatory reporting legislation for data breaches.

Australian Government response to Cybercrime

The Notifiable Data Reporting Requirements came into effect on 22 February 2018 under Part IIIC of the Privacy Act 1988 (Cth). Under these new requirements, Australian government agencies, credit reporting bodies, health service providers, TFN recipients, businesses and not-for-profits with an annual turnover of $3 million or over must report potentially harmful personal information data breaches to the Office of the Australian Information Commissioner. Entities covered by the scheme have 30 days from the discovery of the breach to meet their notification obligations when a data breach is likely to result in serious harm to any individuals whose personal information was involved.

Powers of the Australian Information Commissioner

The Commissioner has extremely broad powers to ensure that relevant entities comply with their obligations, such as directing them to prepare statements and notify affected individuals. Entities who repeatedly do not comply may be hit with fines of up to $2.1 million. Additionally, international laws have been enacted with similar provisions – for example, companies which hold the information of European Union citizens must comply with the soon-to-be in force General Data Protection Regulation.

Will your business be a target of Cybercrime?

It seems it is more a matter of ‘when, not if’, a cyber incident will affect companies. Based on the ACSC’s report, an incident has an average cost of $276,323, 54% of which is spend on detection and recovery with an average resolution time of 23 days. Contingency plans are vital to manage not only initial breaches, but also the liability attached.

Insurance industry responds with Cyber Risk Insurance

The insurance industry has introduced cyber risk insurance which includes cover for losses such as the cost of notifying customers or business interruption, without the standard requirement of physical damage in standard policies. Cyber insurance can also provide third party cover for losses to others caused by data breaches, including the regulatory fine.

Without insurance policies that specifically address cyber risks, the uninsured costs of cyber hacking may be ruinous for businesses. With an increasing range of providers and policies, cyber risk insurance is becoming an increasing necessity for modern business.

 

Useful links

The Australian Information Commissioner’s website  https://www.oaic.gov.au/

A national policing initiative of the Commonwealth, States and Territory Governments the Australian Cybercrime Online Reporting Network’s website https://www.acorn.gov.au/

 

Important Note

This article was prepared for general information only and is not legal advice. For legal advice about the National Data Breach Scheme and how it affects you or your business, contact us on 07 5597 3366 or send an email to law@belllegal.com.au.