Australia: What Are The Financial Exposures For Organisations Following Australia's Data Notification Law?

Last Updated: 10 July 2017
Article by Matthew Pokarier and Ben Di Marco

Recent high profile events such as the 'WannaCry' and 'Petya' Ransomware attacks have highlighted the very significant exposure security incidents pose for organisations and the legal and commercial challenges that can follow. The implementation of Australia's Data Notification Law is likely to further increase the exposure of affected organisations to costs associated with security incidents and events that follow a breach.

Australia's Federal Parliament has now passed the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (Data Notification Law) which will take effect from 22 February 2018 and impose new obligations by amending Australia's existing Privacy Act 1988 (Cth) (Privacy Act). To view our recent summary of the new laws, please click here.

To provide guidance on how Australian organisations are likely to be affected by Australia's Data Notification Law and security risks generally, Clyde & Co has drawn on its international experience in managing cyber claims and data breaches to prepare our second annual cyber report that explores the key aspects of the legislation, as well as a detailed analysis of a cross section of breaches that we have worked on across various industries to provide insight into the likely costs and consequences of the new regime. 

A snapshot of our analysis of the financial costs of data breaches which includes graphs, trends and cost breakdowns can be downloaded here.

To request a copy of our second annual cyber report, which also includes key recommendations on steps organisations should take in preparation for 22 February 2018, please click here.

The Data Set

Clyde & Co has also performed a detailed analysis of breach costs and sector risks based on an initial data set of 70 separate global breaches. The majority of these matters were US based data breaches (though some also had international exposure), as well as five separate Australian breaches, and two Asian breaches. This initial data set was refined, with the following matters removed:

  • Pure ransom and crypto-locker events, unless these incidents also involved evidence of data exfiltration. This was done because the costs incurred in pure ransomware events generally consist of the ransom payment (where it was determined it was appropriate to pay the ransom) or forensic and investigation costs associated with data restoration. Generally speaking these claims were the simplest matters observed and were the most quickly resolved;
  • Suspected incidents, where following investigations it was determined no personally identifiable information had been disclosed or stolen. These matters typically only involved limited forensic and legal costs and generally speaking the matters were resolved within three months; and
  • Claims for business interruption loss. 1 These claims had not been made in every case, however in some of the matters business interruption losses of over USD 1 million had been alleged.

Matters Per Industry

Following these revisions, 30 separate data breaches were identified and used for our analysis. These breaches fell into the following industries:

  • Healthcare - made up of organisations including large hospital networks, individual clinics, smaller practices and specialised testing and diagnostic services;
  • Retail and hospitality - which included retail shops, restaurants, online stores and accommodation service providers;
  • Professional services - including financial service firms as well as risk and investigation firms; 2
  • Computer hardware - a hardware manufacturer; and
  • Utilities - a government related entity.

It was noted that the highest concentration of matters was in the healthcare sector which reflects recent commentary that healthcare information is being increasingly used to commit both financial and identity fraud and the underlying sensitivity individuals feel where their medical records and information are compromised.

Sensitivity around healthcare information breaches is also likely to be seen in Australia given 79% of respondents recently surveyed by the OAIC indicated they placed very high level of trust in their health service providers. 3

The second most significant category was hospitality & retail which involved a variety of point of sale attacks, social engineering attacks and some unintended unauthorised disclosures. A number of these matters became high profile breaches receiving significant media attention.

Costs by Category

Across all of the matters considered, the analysis showed that the various costs that were incurred and proportion of each cost were as follows:

  • Forensics (18.11%) The cost of IT and security experts retained by the organisation to investigate the incidents and provide ongoing advice on the management of each breach. These costs did not include any hardening or remedial work that was undertaken after the breach had been remedied to improve the overall security environment of the organisation;
  • Crisis Management (1.7%) Costs of obtaining an independent crisis expert and costs associated with public relations and ongoing communications advice. These costs represented an insignificant percentage across all of the matters;
  • Notification (18.3%) Costs in identifying, preparing and providing notification correspondence to affected individuals of disclosure incidents. These costs include the provision of call centre services and any complaint mechanisms that are provided as part of these call centre services;
  • Legal (41.2%) Made up of privacy counsel, 4 regulatory legal costs, 5 defence Costs, 6 investigations costs, 7 and legal costs associated with the Payment Card Industry Data Security Standards (PCI DSS);
  • Credit Monitoring (12.7%) Costs incurred to provide mitigation tools to affected individuals in the form of access to credit monitoring services and other identity protection services;
  • Payment Card Industry (PCI) (8.1%) Costs incurred under the PCI DSS regime which imposes obligations to obtain a PCI forensic investigator (PFI), compliance penalties and assessments representing the losses incurred by financial institutions to remediate breaches that compromise individuals' payment cards and financial records; and
  • Other (0.0%) Miscellaneous direct costs flowing from a breach.

Across our data the highest cost incurred was legal, although this reflects the complexity of managing privacy and data notification obligations, as well as the relatively sophisticated regulatory and plaintiff litigation environment that has evolved in jurisdictions such as the US. It is not anticipated these trends will be immediately experienced in Australia and adjustments have been made in the graphs below to reflect the more likely outcomes we anticipate will be experienced once the Data Notification Law comes into force.

The statistics above show that 31% of the total costs incurred were for notification and credit monitoring. While there are significant variations across industries this figure shows that managing notification and providing mitigation services to affected individuals is a key cost to incident response and should be carefully considered by organisations prior to February 2018 when the Data Notification Law comes into force.

The cost of forensics was also relatively low in percentage terms however this was influenced by a number of the matters in the data set that were breaches of high profile organisations with established internal information technology teams that helped perform forensic and investigation steps post breach. Where breaches involve smaller and mid-level organisations the percentage cost of forensic services increased.

Costs Over Time

A number of commentators have described data breach incidents as short tail risks which generally resolve in the months following incidents. This is not supported by the data which reveals costs can continue to be incurred 25 months after the initial incident occurred.

The most significant cost observed during the first five month period was for notification and credit monitoring. Additional expenses were incurred for these items in situations where additional affected individuals were identified at later periods and other forms of notification were required to reach subsets of affected individuals (including examples where it became difficult to determine proper contact details and further steps were required). In these matters, notification was almost exclusively provided by way of registered mail. This is not strictly a requirement under Australia's Data Notification Law.

In general credit monitoring costs were incurred to provide credit and identity protection support to individuals whose records had been compromised. In a number of cases credit monitoring services were initially based on single credit bureau services, however, depending on the sensitivity of the records compromised, additional services were also provided. Some credit monitoring costs stemmed from disputes around the adequacy of the credit monitoring initially offered to affected individuals. Many of the services provided were bulk products with the product cost set based on presumed levels of take up from impacted individuals.

Footnotes

1. Business interruption is typically the consequential loss incurred by the organisation as a direct result of the incident or suspected incident. Business interruption losses are typically covered under cyber insurance policies, though there is significant variation between individual policy wordings around the triggers for cover and waiting and excess periods.
2. The wider data set also included a number of other professional service companies such as legal services and accounting firms. However these matters were pure ransomware events and were excluded based on the criteria summarised above.
3. Office of the Australian Information Commissioner, Australian Community Attitudes to Privacy Survey 2017 (May 2017)
4. These are the solicitors that are retained at an initial stage to determine whether or not privacy or data notification obligations will arise as a result of the incident.
5. These are the costs associated with managing and defending any steps taken by regulators as a result of a data breach incident.
6. These are the costs incurred to defend third party litigations brought against a company following a security incident. Typically these actions are brought by affected individuals, third party clients or financial institutions. These types of claims are discussed further in Matthew Pokarier and Benjamin Di Marco, Clyde & Co, Emerging legal and regulatory risks for data breaches (27 May 2016) < http://clydeco.com/uploads/Files/Emerging_legal_and_regulatory_risks_for_data_breachs.pdf>.
7. Generally undertaken at the start of the matter to put in place proper privilege and document record management to reduce or limit future exposure.

Download - What Are The Financial Exposures For Organisations Following Australia's Data Notification Law?

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Matthew Pokarier
Ben Di Marco
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
 
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions