By Gill Collins ,
Head of Cyber Incident Management and Cyber Advisory, Marsh Pacific
29/11/2022 · 6 minute read
Now more than ever to ensure customer data is protected and avoid harsh penalties, senior company leaders need to have a deeper understanding of their company's cyber risk exposure, so as to actively guide and monitor the data protection strategies across their entire organisation, including in the instances where data crosses over to third parties.
The Australian Government has been vocal about its desire to address the growing threats brought by cyber criminals. Australia’s Cyber Security Strategy 2020 outlined how the government plans to create a more secure online environment for Australian citizens and their businesses.
Recent significant privacy breaches in Australia, which impacted the personal information and data of millions of Australians, bring the issue of cyber security and data protection back into the spotlight.
These breaches have highlighted the inadequacy of current legislated practices and safeguards in relation to data storage and protection. As a result, the Federal Government is fast tracking substantial changes to existing Australian Privacy legislation. It is seeking to “regulate how companies manage the huge amount of data they collect and apply much harsher penalties so as to incentivise better behaviour”.
In recent days, the Attorney-General has introduced legislation to significantly increase penalties for repeated and serious breaches of the Privacy Act 1988 (Commonwealth).
The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022, recently tabled in parliament, will significantly increase the regulation of all organisations who fall within the constricts of the Privacy Act.
The proposed amendments will impose tougher penalties for serious and repeated breaches of the Privacy Act (Australian Privacy Principles) and provide enhanced powers of investigation and enforcement for the Office of the Australian Information Commissioner (OAIC).
The legislation contains a number of key amendments:
The most significant and newsworthy change is the dramatic increase in the penalties that will be imposed for repeated and serious breaches of the Privacy Act. Previously these penalties were for a maximum of AUD $2.2 million.
The new penalties will be the greater of:
*AUD $50m, or
* 3 x the value of any benefit obtained (directly or indirectly by related entities) from and attributable to the breach, or
*if the court is unable to determine the value of the benefit, 30% of the adjusted turnover of the body corporate during the breach turnover period for the contravention. .
The OAIC will be given increased powers to request information and conduct compliance assessments of the notifiable data breach regime. These powers allow the OAIC to ask for information, documents and answers to questions from not only the relevant entity who has suffered the data breach, but also from other organisations and entities who might have (in the opinion of the OAIC) relevant information.
The repeated failure to provide this information or to answer questions from the OAIC can also attract significant penalties.
The bill will expand the Australian Communications and Media Authority’s information sharing powers and the OAIC’s ability to share information obtained from its investigations and determinations of complaints with other Australian and foreign privacy regulators and complaints bodies.
The requirements under the Privacy Act will extend to foreign entities and organisations that carry on business in Australia irrespective of whether or not they actually collect the personal information directly from individuals in Australia or hold the Information here.
A wider scope of enforcement powers will be granted to the OAIC to require organisations to conduct external reviews into their internal procedures and to publish details of those determination and/or provide notices about specific privacy breaches to affected individuals.
The OAIC can order the entity to engage an independent advisor to review the acts and practices of the organisation and the proposed remediation of the complaint. It also proposes that the OIAC can require to prepare an approved statement describing the conduct the organisation engaged in and either distribute this statement to the complainants or publish the statement.
The fast tracking of this bill sends a very clear message that the Australian government is taking data and privacy breaches very seriously. The new penalties imposed for serious and repeated data breaches far exceed those currently existing and are amongst the harshest in the world.
In addition, the amendments provide new wide reaching powers of information gathering and investigation to the OAIC, and the sharing of the information and outcomes from those investigations with other privacy regulators and complaints bodies globally.
Boards and senior executives must now not only understand their key cyber exposures and implement enterprise wide cyber risk management, but must focus on all aspects of data protection and ensure that robust strategies are in place to insulate and safeguard confidential data entrusted to them by customers, employees and third parties. Organisations should conduct a comprehensive review of the data stored within an organisation, the business or commercial need for the retention of that data, the manner in which it is held and how it is used and cleansed.
An insurance policy should not act as the primary solution for managing a company’s exposure to cyber attacks or data breaches, however, mitigating risk through insurance plays an important role in the overall risk management protocols of a business. Purchasing standalone cyber insurance remains an important risk transfer mechanism in addressing growing cyber threats. It is a policy that is designed to respond in the event of a data breach event, providing important financial, operational and reputational protection to an organisation.
As your trusted advisor and partner in cyber risk management and enterprise risk assessment, Marsh can work with you to determine your current cyber risk posture and implement improved protocols and procedures to enhance insurability, loss mitigation and cyber resilience. These reviews will extend beyond your technical risk management procedures to include the enterprise wide review of cyber resilience, data protection and incident preparedness.