Speaking to ifa, national practice leader of cyber risk at Aon Australia, Fergus Brooks, said the new laws laid out in the Privacy Amendment (Notifiable Data Breaches) Bill 2016 mean advice practices who experience a cyber breach have 30 days to notify the Officer of the Australian Information Commissioner (OAIC) as well as all clients affected.
“We’ve been waiting for this bill for more than four years,” Mr Brooks said.
“If an advice business fails to disclose a breach they will be looking at fines to the tune of $1.8 million, which could multiply depending on the amount of data lost,” Mr Brooks said.
Previously, under the Privacy Act 1988, businesses did not have to disclose data breaches.
The new mandatory disclosure law is set to trigger more movement within the advice sector around cyber security as breaches can no longer be concealed from public knowledge and businesses now face a greater risk of reputational damage, Mr Brooks said.
“The single biggest risk to an advice business is the damage to brand and reputation because they rely on client trust,” he said.
“Advisers also hold an enormous amount of Personal Financial Information (PFI) – so not just client identities and contact details, but information on what investments a client makes, how much money they have – all of which is extremely valuable information for organised cyber criminals.”
Advisers need to look at their security posture and, if they don’t know what the gaps are, get a risk assessment done, Mr Brooks said.
According to Mr Brooks, 80 per cent of the claims his firm receives are in regard to crypto locker attacks – a type of ransomware attack.
“Have an incident response plan in place in case something does go wrong (this could be a one-page document) and ensure your staff are educated and aware,” he said.
“What you do in the first critical minutes after you have an incident will determine how well you can save your brand and reputation.”
The introduction of the new laws does not necessarily mean that “breaches can no longer be concealed from public knowledge.” There is an important distinction between an eligible data breach that gives rise to the notification obligation and those that do not. If you don’t understand this distinction you can end up notifying the OAIC and affected individuals prematurely and create far worse reputational consequences than if you make a balanced assessment not to notify.
Organisations need to put in place a data breach incident response plan that steps through how to assess if a data breaches is an eligible data breach, respond to the breach, adopt remedial actions to mitigate any harm and if necessary notify the OIAC and affected individuals.