2015 was the year that Australian companies became victim to a sudden increase in hacks and security breaches, and the expectation is that this trend is going to continue through 2016.

Businesses can be vulnerable to security breaches through:

  • Human error
  • Opportunistic exploitation of a system weakness
  • Malicious attack

The types of losses and liabilities that can be suffered are broad and far-reaching 

First party losses include the cost of:

  • Data investigations
  • Restoring data
  • Repair of reputation
  • Notification
  • Monitoring
  • Forensic services
  • Ransoms
  • Business interruption

Liabilities to third parties are less easy to predict as the law isn’t yet clear. Possible liabilities may include:

  • Losses suffered by clients whose personal and sensitive data has been misused
  • The costs incurred by a party with whom a business has contracted
  • Possibility of a class action by affected persons or businesses
  • Exposure to personal injury, for example where a health provider’s network is inaccessible

Insurance coverage is wide-ranging and varied and comparing cover is not straightforward. Many of the above losses can be covered under a comprehensive cyber policy, with the exception of most personal injuries.

Preparation for a data breach is essential:

  1. Have an IT response plan – see the Office of the Australian Information Commissioner website for an example.
  2. Have a crisis management response plan which will assist in dealing with the media and affected clients and third parties.
  3. Be secure – from an IT perspective, have sufficient security and encryption where necessary: see the Office of the Australian Information Commissioner website for guidance.
  4. Understand the requirements of mandatory reporting when it is introduced.
  5. Ensure a company’s board has an appreciation of the risk now – surveys show there is still resistance to appreciating the exposure.
  6. Train staff in the proper use of data and the security measures adopted.