The word is out – Medibank confirmed earlier this week that they DON’T have cyber insurance after a breach that impacted all 3.9 million customers. The cybercriminals responsible for the attack now have access to customers’ personal data and a significant amount of health-claim data.
Experts estimate that the breach will cost Medibank up to $35 million, plus the cost of legal fees and remediation. However, the government proposed a new bill on 22 October which, if passed, will increase the maximum penalty for serious or repeated privacy breaches from $2.22 million to a whopping $50 million.
The press release stated, “It’s not enough for a penalty for a major data breach to be seen as the cost of doing business.”
So, what is this new legislation all about?
The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 is designed to incentivise businesses to implement tighter data protection policies. The fundamental changes announced include:
The government is reviewing the Privacy Act, with further recommendations for reform anticipated.
Directors Responsibilities
Earlier this month, a US court ruled that Uber’s former chief security officer was guilty of criminal obstruction charges after he failed to report a cyber breach to authorities. As a result, he faces a prison sentence of up to eight years.
Following this verdict, the Cyber Security Cooperative Research Centre and Australian Institute of Directors have published a set of cyber security governance principles to help organisations better protect their data and that of their clients and customers. These principles establish a framework for the board across the following areas:
This increased expectation on board members reflects the current climate, with the CEO for Cyber Security Cooperative Research Centre, Rachael Falk MAICD, talking about why the principles have been developed.
“Companies must expect to be attacked and the worst thing any organisation can do in this current environment is to proceed with a false sense of security. This is a core risk that has to be incorporated into the everyday business of running any organisation,” said Falk.
Directors and Officers Liability Insurance (D&O insurance)
As board members and officers expected to make informed decisions to mitigate cyber risk, company directors could be found personally liable for a cyber breach if seen to have failed to take necessary steps to protect personal data. While we are yet to see a case like this within Australia, several cases have been seen in the US, with the Australian government warning that Australia may follow suit.
It’s little wonder then that the Australian Institute of Company Directors recommends protecting yourself with D&O insurance.
Safeguards for the Digital Era
With the massive quantities of data companies are collecting in the digital era, every business needs to step up and be accountable for storing and protecting this information. It doesn’t matter what size your organisation is – if you can’t afford to protect the data you collect, you can’t afford to be in business.
While this is a significant shift for many businesses, it is evident with the recent spate of breaches (Optus, Medibank, Woolworths MyDeal, the list goes on) that there is no more poking your head in the sand. If you don’t have strong data governance policies, cyber insurance and D&O insurance in place, then you’re a sitting duck for a cyber breach.
If you aren’t sure you are covered, call us to book a check-up. We also have a range of cyber resources available:
Don’t risk being front-page news for all the wrong reasons – ensure your company’s data is protected.