Does your business have a plan for meeting data breach penalties and costs? With the Marriott group facing a potential $915 million fine for its 2018 data breach, organisations of any size are facing the need for contingency strategies.
On top of Australia’s Mandatory Data Breach Notification and the General Data Protection Regulation (GDPR) coming into effect in 2017, proposed changes to the Privacy Act 1988 are set to introduce increased penalties, making data breaches more costly ‒ and cyber insurance a necessity for any company that stores personal data.
With draft legislation timed for consultation in the second half of 2019, businesses of all sizes should be aware of the proposed amendments which also cover online and social media platforms, and include
- an increased maximum penalty for repeated breaches of personal data of $10 million or
- 3 times the value of any misuse of information or
- 10% of a company’s annual domestic turnover, whichever is greater.
The OAIC will gain new infringement powers to impose penalties for failure to cooperate with efforts to resolve minor breaches of
- up to $63,000 for bodies corporate
- up to $12,000 for individuals.
They will also be able to
- publish notices about breaches and the companies involved
- notify individuals whose personal information has been accessed by a cyber attack.
This will directly affect breached organisations’ reputations – and their bottom lines.
According to legal firm Clyde & Co, in the event of a security breach businesses should be prepared to demonstrate that they have adequate systems in place to protect personal data, and that includes considering cyber insurance as a risk mitigation strategy to assist with the costs and potential liabilities involved.
“Cyber insurance provides a safety net for businesses and provides assurance that they can pay compensation to individuals whose data has been compromised,” says Robyn Adcock, Cyber Technology Practice Leader at Gallagher.
“By taking a proactive approach to data protection, organisations can also improve their risk profiles and lower their premiums.”
An organisation can build a stronger case for claims being approved in the case of a data breach by auditing themselves in advance of seeking insurance cover. First steps include
- identifying what kind of data is stored and the level of security it is defended by
- ascertaining that appropriate access controls are in place
- assessing whether current security is adequate.
“The faster an organisation can react, and the more it can minimise any potential damage, the lower its premiums will be," Adcock continues.
These basics help to quantify your risk to a potential insurer and they also provide a road map to the preventative actions your organisation needs to take. Today the reality is that every business could fall victim to a cyber attack, but preparedness is the key to surviving and moving on.
“Cyber insurance is designed to meet a variety of different challenges that can arise in the event of a data breach,” Adcock says. “We can help businesses proactively manage their risk exposures.”
Talk to a Gallagher cyber specialist about how we can help you limit your cyber security exposure.