Would you survive the blow of not reporting a data breach?

In 2018 the new mandatory breach notification scheme comes into effect. It means any business that experiences a data breach and believes that serious harm may result, must report it. It can seem like a dark grey cloud looming overhead, but it doesn’t need to be – if you prepare accordingly.

If you think this doesn’t affect your business, then think again. Make sure you’re fully informed, know if and how your business will be impacted, and then take the necessary steps to ensure you’re on the front foot ahead of the law being enforced. It’s incredibly important to lay the ground work now, as ignoring it or putting in on the backburner could backfire, and it won’t be easy to recover.

The question is no longer if we are going to get hit, it’s when. Cybercriminals are getting smarter and more targeted with their attacks, impacting organisations across various industries. In theory, businesses should already have policies and procedures in place to ensure the information they hold is protected from data breach attacks, however in practice it’s usually a very different story.

“What happens if I don’t report a breach?”

Not reporting a breach can have disastrous impact on both brand and reputation. You may also be fined a penalty of up to $1.8 million for companies and $360,000 for individuals.

The average total cost of a data breach is thought to be around $3.62 million* – with costs associated with reputational damage and retaining customers in the wake of a breach. If this was to happen to your business, is this something you could financially manage? If not, this could lead to your business getting into major financial difficulty and being at risk of becoming insolvent.

What you need to do if a breach occurs

The mandatory data breach notification scheme requires organisations subject to the Privacy Act to promptly notify Australia’s Privacy Commissioner of any potential breaches.

Data breaches are defined as those in which there is unauthorised access, disclosure or loss of personal information held by an entity, which is likely to result in serious harm to any of the individuals to whom the information relates.

If you believe a data breach has occurred, then you must carry out a “reasonable and expeditious” assessment and notify any individual affected as well as the Privacy Commissioner. You need to take reasonable steps to complete the assessment within 30 days.

Lay the ground work, before it’s too late

Businesses should be taking action now to ensure they have a data security strategy in place, or risk disastrous financial implications.

Steps you can take to prepare:

  • Produce a policy and procedures document that defines “serious harm” and what action needs to be taken in the event it occurs.
  • Update security software.
  • Define what a breach is within your organisation.
  • Nominate someone to be responsible for identifying and dealing with any breaches.
  • Review contracts with suppliers and service providers to ensure they have implemented data security measures.

Have a draft notification in place so it is ready to send in the event action needs to be taken.

There has been a naiveté that has protected Australian businesses for so long. Now that the scheme is about to come into play, it’s time for businesses to wake up and prepare themselves so they don’t get caught out. Because if you are, would your business survive the blow?

*2017 IBM Ponemon Cost of Data Breach Study: www.ibm.com/security/data-breach/index.html

Andrew Spring, Partner, Jirsch Sutherland