A leading US data protection lawyer has warned Australian businesses that they need to have clear action plans in place to avoid expensive embarrassment, following the introduction of mandatory data breach notification laws in Australia by the end of the year.
David Navetta, the US co-chair of global law firm Norton Rose Fulbright’s data protection, privacy and access to information practice group, said Australian firms had more than a decade’s worth of real world experiences in the United States to learn from, and that chief executives and boards could be under threat if responses to breaches were bungled.
The expected new laws, which have bipartisan backing, mean Australian organisations would have to notify customers if their systems were hacked or a network flaw of some kind left private customer data exposed.
Despite similar laws having been in place for some time in other jurisdictions, including in the US since 2003, Australian organisations have so far retained the right to keep quiet about customer data breaches.
However, in February, the parliamentary committee that investigated the federal government’s contentious data retention legislation also recommended that mandatory data breach notification laws be enacted by the end of 2015. No legislation has since been tabled, but sources suggest it will surface in due course.
Mr Navetta said high-profile data breaches in recent times, such as the Sony Pictures Entertainment hack and the systems breach of US retail chain Target, had crystallised the business risks of security breaches. He said mandatory disclosure would likely reveal a much greater extent of systems breaches in Australia than was currently seen.
Studies have estimated that 783 data breaches were reported last year in the US, with Mr Navetta saying roughly 675 million records were reported to have been breached in the last decade. While some companies already disclose breaches without being forced to by law, he said, the majority have chosen to keep things quiet.
“Prior to 2003, apparently hackers never breached anyone in the United States; then, suddenly after the law came in, we found out that this certainly wasn’t the case. I would not be surprised if many companies have been breached here in Australia and said nothing,” Mr Navetta said.
“The issue for the US companies is the whole process of having to report an incident and the negative PR [public relations] and litigation issues that can come out of it. It has become a big challenge for US companies to deal with these situations, and it can be quite expensive for them to do so.”
The laws have been considered necessary as the notifications can alert consumers of the need to closely check bank statements and credit card bills, and to potentially change their passwords for other websites.
Watershed Event
Mr Navetta said the December 2013 breach at Target had been a watershed moment in US business, as the company was so damaged by the public relations and litigation hit from the theft of 40 million debit and credit card numbers that the board of directors, CEO and chief information officer all lost their jobs in the aftermath.
US businesses had learnt to put a plan in place to react to data breaches in the understanding that, if they are determined enough, hackers will likely find an entry into a system at some point.
Most breaches do not have the huge implications of the Target hack, and Mr Navetta said the volume of notifications had produced somewhat of a numbing effect on US consumers, who would often pay scant attention to them.
Sydney-based Norton Rose Fulbright partner Nick Abrahams said incidents of Australian data breaches were much more common than the public would know from media reports, due to the current lack of notification laws.
“Because we don’t have mandatory breach notification laws in Australia, most organisations apply what I call the ‘A Current Affair test’. This is to ask what the chances are that A Current Affair will ever find out about it,” Mr Abrahams said. “If there is no chance then they are not going to notify anyone because they just don’t have to.”
He said in the US the first port of call for an organisation that had been breached was its lawyers, rather than cyber forensics experts. This was so that subsequent forensic reports into the causes of the breach could be given the cloak of legal professional privilege.
New Industry Likely
Mr Abrahams said US legal teams had become something close to professional breach coaches as their regular experience of dealing with the situation meant they knew how best to deal with the investigation and any media interest in order to minimise damage.
He said the US experience suggested a new industry would likely emerge in Australia for identity monitoring services, and that cyber insurance policies would become much more common.
“The cyber risk insurance market, which is quite developed in the US, is still early stages in Australia,” Mr Abrahams said. “We have seen really significant change over the last 12 months with products that are available, and we are dealing a lot with insurers who ask for policy reviews.”
Earlier this year HWL Ebsworth partner Andrew Miers told The Australian Financial Review that cyber insurance was increasingly being seen as part and parcel of an organisation’s cyber risk management plan.
“Breach notification laws create greater compliance costs, which companies may seek to insure, but also generate more information about data breaches and cyber risks, and hence a greater pool of actuarial data to enable a cyber insurance market to mature,” Mr Miers said.
Source: Financial Review