Notifiable Data Breaches for Australian Businesses: When a Client Database Is Compromised
Businesses hold extensive personal information about vendors, purchasers, landlords and tenants. A look at when a data incident becomes a Notifiable Data Breach in Australia and how Cyber insurance responds.
Australian livestock and property businesses are, in effect, custodians of personal information at scale. A single residential file may include identification documents, bank account details, tenancy history, employment information, references and rental ledger data. A sales file may include identification, financing details and contract documents. A rural file may include business information, land titles and personal financial information. Across a rent roll or a sales register, the business is holding the personal information of thousands of individuals.
When that information is compromised – through a phishing attack on staff email, an unauthorised access to the business's trust accounting software, a lost device, or a vendor portal vulnerability – the Notifiable Data Breaches scheme administered by the Office of the Australian Information Commissioner is generally engaged.
When a data incident becomes a Notifiable Data Breach
Not every data incident is a Notifiable Data Breach. The scheme is engaged where there is unauthorised access to or disclosure of personal information, or a loss of personal information, that is likely to result in serious harm to one or more individuals, and the business has not been able to take action to prevent that harm. The business has 30 days from awareness of a suspected breach to assess whether the threshold is met.
The question is whether the personal information involved is enough to enable identity theft, financial fraud or other serious harm. For an agency file, the answer is almost always yes – identification documents, bank details and tenancy history meet that threshold on their own, and the combination of them is precisely what the scheme was designed to capture.
What the response involves
Once the threshold is met, the business is required to notify the OAIC and to notify each affected individual, or to publish the notification where individual notification is not practicable. The notification must include what happened, what information was involved and what the affected individuals can do in response.
“Most businesses underestimate how much personal information they hold per file. By the time you add the ID documents, the bank details and the tenancy history, every record on its own meets the threshold.”
Behind the notification sits a substantial amount of work – forensic investigation to determine the scope, legal advice to assess the threshold and prepare the notification, communications work to manage the message to affected individuals, the OAIC engagement itself, and often the provision of credit monitoring or identity protection services to the affected individuals.
How Cyber insurance responds
Modern Cyber policies respond to all of these costs under the standard insuring clauses – typically described as Breach Response, Legal Costs, Notification Costs and Credit Monitoring Costs. These are usually inside the overall limit and may be sub-limited individually.
Where the breach gives rise to a regulator investigation or a privacy complaint, the policy generally responds to the legal representation. Where individuals subsequently bring a claim against the business for the misuse of their information, the policy generally responds to the defence and the settlement, subject to the privacy-related insuring clause.
Where the harder questions arise
The harder questions in any business Cyber claim are usually about scope. How far does the breach extend – one mailbox, the trust accounting software, the entire client database. How many individuals are affected. Whether the breach is contained or ongoing. Whether the personal information was accessed or only potentially exposed. The cost of the response is largely driven by the answers to these questions, and the speed with which the business engages the insurer's breach response panel materially affects the eventual cost.
What we look at when we review the policy
When we review a Cyber program for an agency, the data breach conversation focuses on a few specific items. Whether the Breach Response insuring clause responds to the full notification process under the Australian scheme, not only an equivalent overseas scheme. Whether the Notification Cost limit is meaningful against the size of the client database. Whether the policy responds to regulator investigation by the OAIC and by state-based privacy regulators where applicable. Whether the wording responds to personal information held by the business on behalf of third parties such as landlords and vendors, not only the business's own data. And whether the breach response panel is accessible 24/7, since the first 48 hours of a breach materially affect the cost of the rest.
Personal information is the raw material of business work. The policy that responds when it is compromised should be set up to assume the breach will eventually happen.
If you would like a review of how data breach exposures are arranged in your business Cyber program, we are happy to walk through it with you.
Need help understanding how this may affect your cover?
Contact the RMA Insurance Brokers team before making changes to your insurance arrangements.
Any financial product advice in this content is provided by Insura Broking Group T/as RMA Insurance Brokers AR No. 1267581. This material is general in nature and has been prepared without taking into account your objectives, financial situation or needs. Accordingly, before acting on it, you should consider its appropriateness to your circumstances. RMA Insurance Brokers is an AR of McCormick Harris Insurance AFSL No. 238979.
Information is current as at the date the article is written as specified within it but is subject to change. RMA Insurance Brokers make no representation as to the accuracy or completeness of the information. Various third parties may have contributed to the production of this content. All information is subject to copyright and may not be reproduced without the prior written consent of RMA Insurance Brokers.
