Data security – the increasing burden

The consequences for an Australian business victim for a breach of cyber security are forecast to exponentially increase. In February 2015 the Parliamentary Joint Committee on Intelligence and Security (Committee) recommended the introduction of mandatory data breach notification scheme (Scheme) by the end of 2015.^[1] Whilst the details of the incoming Scheme are currently scant, it is understood that the enacting legislation will have bi-partisan support in federal parliament.

Mandatory data breach notifications requirements a la the Scheme are far from a recent development. They were first recommended by the Australian Law Reform Commission in 2008 and have been in place in the United States since 2003.

Lessons from the United States

Australian businesses have the benefit of approximately fifteen (15) years’ worth of practical guidance from the United States alone. In these fifteen (15) years it is estimated that 675 million data records have been reported as being compromised and 783 data breaches occurred last year alone.^[2]

By and large the United States experience demonstrates the significant costs incidental to a data breach that may arise by virtue of mandatory notification schemes. Amongst these costs are the damages to reputation and public relations and the potential litigation commenced by notified parties.

Preparing for the change

Australian businesses should take heed of the United States experience and undertake a comprehensive review of their data breach policies. By ensuring that your policies for reacting to a data breach are airtight you can mitigate any damage that may arise from your obligations under the Scheme. The guidelines for dealing with data breaches released by the Office of the Australian Information Commissioner in 2012 provide a solid foundation (outlined by Dundas Lawyers here) for preparing a policy but you should seek professional advice to develop a policy more tailored to your individual business.

Links and further references

Office of the Australian Information Commissioner, A guide to securing personal information

Office of the Australian Information Commissioner, A guide to data breach preparation and response

Parliamentary Joint Committee on Intelligence and Security, Advisory report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014

Further information about data security

If you would like further advice on your obligations concerning data breaches please contact us for a confidential and obligation free discussion.

Disclaimer

This article contains general commentary only.  You should not rely on the commentary as legal advice.  Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.

[1] Smith, P, Litigation, PR disasters and higher insurance costs expected from new data breach laws, (2015). Accessed at http://www.afr.com/technology/litigation-pr-disasters-and-higher-insurance-expected-from-new-data-breach-laws-20150805-gis75j accessed on 13 August 2015.

[2] Parliamentary Joint Committee on Intelligence and Security, Advisory report on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, (2015) at p. 299.

---

Related insights about data security