Laggard Australian businesses on notice as breach notification, insurance onus ramps up

“Behind the curve” on breach notification, Australian businesses must measure and remediate their data risk inside and out

Many Australian businesses are still unprepared for the legal implications of impending data breach notification laws and will face a surge of security-related litigation as the new laws force rapid reconsideration of longstanding risk-management policies, a lawyer and data-privacy specialist has warned.

The long delays in passing the legislation, which is already in force across the United States and Europe, had left Australia “a long way behind the curve,” Jones Day solicitor Adam Salter told CSO Australia. “I'm quite surprised by that given that we're normally relatively ahead of the curve and not too far behind it. But it has been something of a political football.”

Normalisation of breach reporting through the overseas experience, however, had taken much of the sting out of the mooted legislation – particularly as well-known corporates such as Kmart Australia and David Jones had recently taken the lead in reporting breaches.

Yet as the legislation neared passage – amidst warnings that it is still too subjective and that consumers won't be able to cope if they know how many breaches are actually happening – a shift of focus towards “a lot more contentious things” was forcing boards to rapidly revisit their risk profiles and privacy practices in anticipation of a potential flood of litigation.

The breach-notification environment “creates more of a fertile environment for plaintiff law firms to start crafting their approaches,” Salter said. “The language around privacy compliance is a lot more complicated these days. People now have a stronger expectation of privacy – particularly with regard to data breaches and things like credit-card details – and the law is catching up with that.”

Contracts would be a particular area of focus, Salter said, with many companies building in obligations around privacy compliance and handling of personally identifiable information (PII) for their suppliers. Vendors would face class actions and litigation from their corporate customers who would be looking to pursue remedies in the event of a breach.

“You will start to see more litigation arising out of breach of those contractual provisions in B2B or [government to business] contracts,” Salter said. “There will be a lot of technical measures put in place to avoid that liability, and you will see that liability passed through the corporate structure. There will be changes to the way they craft their privacy language, and possibly civil liability between the parties on a vendor who fails to comply – in addition to the penalties in the legislation.”

As Australia continues to roll towards breach-notification legislation, Salter said, much of his advisory work is focused on guiding clients through the creation and establishment of insurance policies to back their cybersecurity efforts. The legal team is also recommending that organisations work hard to ensure internal processes and procedure are compliant with the company privacy policy, as well as reviewing contractual obligations both upstream and downstream.

“A key element to this is training for the appropriate people about what their obligations are under the privacy policy and contracts,” he noted, advising the appointment of a formal privacy officer even in smaller organisations.

Read more: Marketers deliver warning on breach notification

“In today's world, with the Internet and how quickly information can be spread, they need to have very good communications strategies so they are ahead of the curve in controlling the messaging in a business sense.”

Cyber-insurance policies are likely to provide a stopgap measure, with companies like Marsh Australia and QBE Insurance taking an early lead in providing policies to protect cyber breaches and Berkshire Hathaway Specialty Insurance Company this month joining the fray through a cyber-response partnership with Symantec.

Insurers “will be doing a lot more due diligence in relation to the policy holder to understand their risk profile,” Salter explained. “It's not just a matter of what the customer's technology is like; it's also the history of their software or other technology having been hacked; what are the nature and size of their contracts; and who are their customers. That certainly plays into their risk profile from a dollar sense.”

Vendors providing smaller contracts to a lot of companies offer less risk to insurers than large providers “with lots of touchpoints for liability arising out of hacking,” Salter said. “A lot of the work of insurers is working out who's on the hook.”

Join the CSO newsletter!

Error: Please check your email address.

Tags insurancebreach notificationKmart Australiaprivacy practicesAdam SalterCSO AustraliaDavid Jonerisk-managementAustralian businessesJones Day

More about CSODavid JonesHathawayKmart AustraliaMarshQBESymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place