Businesses are being urged to prepare for the new Notifiable Data Breach scheme, which is set to transform Australia’s cyber security and reporting landscape.
From 22 February 2018, all qualifying businesses will have a mandatory obligation to report eligible data breaches to the Office of the Australian Information Commissioner and any individuals who may be affected by a data breach.
The new rules have the potential to be a costly exercise for businesses of all sizes, with potential penalties of up to $360,000 for individuals and $1.8 million for organisations as per existing powers of the Privacy Commissioner.
The new rules apply to businesses who are subject to the Privacy Act. Most notably any organisation with a turnover greater than $3 million will be subject to the reporting requirements.
In addition, the changes require that all affected customers be notified of a breach and includes the requirement that suspected breaches be investigated within 30-days.
Perhaps most critically, if detection, reporting or notification of a data breach is handled poorly, it may also put the business’ reputation at stake by leaving customers and suppliers discouraged.
What does it mean for business?
Businesses will need to ensure they have effective risk mitigation techniques in place to address the evolving threat of cybercrime, QBE specialist cyber underwriter Ben Richardson says.
“There’s no such thing as perfect security, but it’s never been more important for businesses to have an effective plan in place. That way if something does go wrong businesses will be ready to trigger their plan of action right away.”
The new regulations around reporting data breaches reinforce the need for all businesses to take a proactive approach to protecting business and IT systems.
“There’s a need to protect but also detect and respond to cyber threats and all this has to happen quickly,” Richardson says.
“Cyber security risks are constantly evolving and changing so it’s not possible to completely eradicate cyber exposure. That’s why it’s vital businesses avoid the set and forget mindset and continuously review and update their mitigation efforts,” he added.
SMEs under spotlight
Sixty per cent of small businesses who experience a significant cyber breach are out of business within the following six months, according to figures quoted by the Australian Small Business and Family Enterprise Ombudsman. 
Yet Telstra’s Cyber Security Report 2017 found thirty-three per cent of businesses with less than 100 employees don’t take proactive measures against cyber-security breaches.
Eighty-four per cent of Australian small and medium businesses are run online. It’s therefore likely that in today’s connected landscape, almost all businesses will routinely collect customer data.
For example, people are increasingly providing personal information to retailers to shop online or to gain rewards with almost three quarters of Australians signed up to a store loyalty program.
Small businesses which routinely collect personal data include childcare centres, gyms, general practitioners and pharmacies.
“It’s not just large organisations that will need to respond to the new mandatory reporting regulations, but the small end of town too,” says Richardson. “And prevention and planning will have the biggest impact on dealing with these threats.”
Talk to an expert broker
As business insurance experts, brokers can find the policies that best meet your business needs. How do they work? They’re best described as licensed individuals or firms that serve as intermediaries between insurers and business owners to negotiate insurance policy contracts. Find out what to look for in a broker.
How to buy business insurance
Business insurance is purchased through brokers. If you don’t have a reliable personal recommendation, the National Insurance Brokers Association (NIBA)* can help you find an accredited broker.
You should ensure you obtain and consider the Product Disclosure Statement for the policy before you make any decision to acquire it. The information on this website has been prepared without taking into account your objectives, financial situation or needs.
*The brokers on this site are not employees or agents of QBE, but are independent entities. QBE is not responsible for any advice provided to you by any broker on this site. Any such advice is the responsibility of the broker concerned.
 Part II, Section 6D of the Privacy Act 1988
 Testimony of Dr. Jane LeClair, Chief Operating Officer, National Cybersecurity Institute at Excelsior College, before the U.S. House of Representatives Committee on Small Business (Apr. 22, 2015), docs.house.gov/meetings/SM/SM00/20150422/103276/HHRG-114-SM00-20150422-U4.pdf