60% of Australian firms failed to plan for the Notifiable Data Breach scheme

| February 23, 2018

New research released by MinterEllison shows that only 40% of organisations are prepared for Australia’s new Notifiable Data Breaches (NDB) scheme and have reviewed their policies, data breach response plans, and security controls appropriately.

Launching the new legislation, Australia’s outgoing Information and Privacy Commissioner Timothy Pilgrim said the NDB offers a significant boost to Australian privacy rules, although he stressed that the new rules are neither exceptional nor unexpected, but merely formalise long-held expectations of consumers.

“Meeting privacy obligations and the expectations of the community continues to be essential. Only by demonstrating a commitment to privacy can organisations build and maintain people’s trust and a social licence for innovative uses of data,” he explained.

“The success of an organisation that handles personal information, or a project that handles personal information, depends on trust. People have to trust that their privacy is protected and be confident that personal information will be handled in line with their expectations. As a result, privacy today is really about transparency and accountability.”

The fact that 60% of businesses still need to take further action is one of the key findings of this year’s ‘Perspectives on Cyber Risk 2018’ annual survey of C-level executives, CIOs, risk and legal managers. The report analyses the strategies and preparedness of Australian firms to effectively manage cyber risk, and increase their cyber resilience and ability to effectively manage cyber risk.

“Our findings show that while most Australian organisations are well aware of cyber risk and the need to address it, much remains to be done to increase their resilience to meet requirements of the NDB Scheme,” said Paul Kallenbach, MinterEllison’s Head of Cyber Security.

“There is a distinct risk for those not prepared, given that cyber incidents are occurring – and will continue to occur – with ever greater frequency, severity and impact.”

The new NDB regime, which came into force on February 22nd, means that data breach notification for ‘eligible data breaches’ will be mandatory for almost all Australian organisations that are subject to the Privacy Act 1988. The scheme poses regulatory, monetary, and reputational risks for those who are not sufficiently prepared.

Mr Kallenbach said that the NBD scheme is intended to give Australians more control over their personal information whether online or offline.

“We welcome the NBD scheme and it is not before time,” he said. “Not only does it reflect emerging international practice, but it will provide affected individuals with the opportunity to take steps to protect their personal information following a data breach.

“Our Firm recommends organisations focus on understanding and documenting their data and information flows; prepare, test and update their incident response plans; and provide regular training to staff at all levels. It’s vital they do this, as cyber attacks are here to stay and pose a serious risk issue for government and business.”

On that theme, ‘Perspectives in Cyber Risk 2018’ also shows that just 54% of respondents had a cyber incident response plan in place, although this was an improvement from 42% in 2016. This is despite more than a third indicating that they were subject to at least one cyber incident in the last 12 months that compromised their systems or data.

“This year’s report shows there was a decrease in the percentage of organisations that say they audit their suppliers’ IT security practices at least annually (from 34% in 2016 to 21% in 2017) and, in an environment of increasing adoption of cloud services, that’s also a key area where risk management for cyber should be focused,” said Mr Kallenbach.

Veronica Scott, leader of MinterEllison’s National Privacy Group, said the Cyber Risk report echoes the advice of Timothy Pilgrim, Australian Information Commissioner and Australian Privacy Commissioner, who told MinterEllison that “If an entity knows what information it holds, who handles it, who is responsible for it, where it is held, and how it is protected, then the entity can ensure its data breach response plan is as effective as possible.”

“An important finding from this year’s report is that the uptake of cyber insurance continues to rise, from 39% in 2016 to 62% in 2017” noted Leah Mooney, Special Counsel in MinterEllison’s Insurance & Corporate Risk team.

“However, whilst cyber insurance is a useful risk management measure for many organisations, it is important to recognise it is not a panacea and must form part of a wider toolkit of cyber risk management measures.”