Latest News

Mandatory breach notification goes live


Mandatory breach notification is officially in force in Australia, a move that could impact both the insurance industry and its clients.

The notification legislation, which came into force today, could see individuals face penalties of up to $360,000 with organisations potentially on the hook for up to $1.8 million.

Dean Carrigan, partner at Clyde & Co, said that the advent of the legislation will have a marked impact on businesses that fail to handle breaches in the right way.

“Although there mightn’t be an immediate spike in notifications, I think there is a real risk any early notifications made on, and after, Thursday are likely to result in significantly enhanced and increased regulatory focus and investigation,” Carrigan told an AIG-hosted event.

“I think we will see significant legal interest in these breaches as the new legislation is rolled out and there is going to be a lot of chat on social media and in the public domain about these breaches.

“All of this has real potential to impact businesses’ financial position and reputation and those risks are greatly exacerbated if the incident, once it has occurred, isn’t handled properly. It will be really key to make sure those incidents are properly managed.”

With mandatory data breach notification now in effect, Carrigan said that this could lead to a rise in third party claims as he believes the new regime could see “plenty of litigators circling, looking for opportunities to bring claims against the business” which suffered the breach. He added that from the work Clyde & Co has done in the space globally, acting quickly is the best method to ensure any breach is well-managed. The first 72 hours are key and brokers should look to ensure clients have plans in place to manage a breach, regardless of their business size or type.

In addition, he noted that businesses will also need to consider whether forensic IT is needed to respond to the breach, what areas of the business have been impacted, the cause of the incident and whether other regulators such as APRA or ASIC also require notification.

“There is an enormous amount to consider and any business, even a large sophisticated, well-resourced business is certainly, in our experience, going to be challenged with this,” Carrigan continued. “That is particularly apparent because there is no one size fits all to these data breaches.

“It has to be a tailored, focused, and thought-through, bespoke approach that is adopted in relation to these matters and that holds true, with greater force for the bigger, more complex breaches, as well.”


Source: Insurance Business Magazine