2015 was the year that Australian companies became victim to a sudden increase in hacks and security breaches, and the expectation is that this trend is going to continue through 2016.
Businesses can be vulnerable to security breaches through:
- Human error
- Opportunistic exploitation of a system weakness
- Malicious attack
The types of losses and liabilities that can be suffered are broad and far-reaching
First party losses include the cost of:
- Data investigations
- Restoring data
- Repair of reputation
- Forensic services
- Business interruption
Liabilities to third parties are less easy to predict as the law isn’t yet clear. Possible liabilities may include:
- Losses suffered by clients whose personal and sensitive data has been misused
- The costs incurred by a party with whom a business has contracted
- Possibility of a class action by affected persons or businesses
- Exposure to personal injury, for example where a health provider’s network is inaccessible
Insurance coverage is wide-ranging and varied and comparing cover is not straightforward. Many of the above losses can be covered under a comprehensive cyber policy, with the exception of most personal injuries.
Preparation for a data breach is essential:
- Have an IT response plan – see the Office of the Australian Information Commissioner website for an example.
- Have a crisis management response plan which will assist in dealing with the media and affected clients and third parties.
- Be secure – from an IT perspective, have sufficient security and encryption where necessary: see the Office of the Australian Information Commissioner website for guidance.
- Understand the requirements of mandatory reporting when it is introduced.
- Ensure a company’s board has an appreciation of the risk now – surveys show there is still resistance to appreciating the exposure.
- Train staff in the proper use of data and the security measures adopted.