Mandatory data breach notification laws have been on the table for some years. The immediate impetus for legislative reform is the February 2015 inquiry of the Parliamentary Joint Committee on Intelligence and Security, which recommended that such laws be introduced by the Federal Government.
The proposal – the Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 – is based on the recommendations of the Australian Law Reform Commission. The principal purpose of data breach notification laws is not punitive. Instead, it is meant to enable individuals affected by serious data breaches to take remedial steps to avoid potential adverse consequences.
Submissions commenting on the exposure draft of the Bill closed on 4 March 2016. A number of submissions were received from relevant stakeholders, including the Insurance Council of Australia.
The proposed Bill has bipartisan support and is likely to be introduced and passed in substantially the same form as the exposure draft.1 Accordingly, the insurance industry should start preparing for the passage of the Bill now to meet the regulatory challenges posed by the proposed scheme, as well as to maximise the commercial opportunities it presents.
HOW IT WOULD WORK
The proposed Bill amends the Privacy Act 1988. The existing scope of the Act is considerable. It applies to government agencies, as well as to most businesses with an annual turnover of over AU$3 million. In addition, the Act has extra-territorial operation, extending to practices engaged in by agencies and businesses outside of Australia.
The key element of the proposed Bill is that entities must report what is termed a “Serious Data Breach”.
A Serious Data Breach concerns:
- personal information
- credit reporting information
- credit eligibility information
- tax file number information.
If a Serious Data Breach (or potential breach) is identified, the relevant entity or business is required to publish a report notifying those whose personal information has been compromised. If an entity fails to properly report a Serious Data Breach to those affected and/or the Office of the Australian Information Commissioner (OAIC), civil penalties of up to AU$1.8 million may be imposed. In its submission to the Attorney- General’s Department, the Insurance Council of Australia expressed its support of the proposed scheme. It also raised a number of issues for consideration and clarification to ensure the scheme is “pragmatic and minimises the regulatory burden on entities subject to the Australian Privacy Principles”.2
The insurance industry collects, uses and discloses a significant amount of personal and sensitive information in the course of providing insurance quotations, issuing policies and paying claims.3
Some instances of sensitive information and documentation in the possession of underwriters, underwriting agencies, claims departments, brokers and/or loss adjusters include:
- an insured’s full name, date of birth and contact details, in the case of many types of retail
- policies (including private health and life insurance)the medical history of an insured, in the case of travel and life insurance policies
- an insured business’s turnover, the identity of key clients, the value of major contracts and claims history, in the case of many types of commercial policies
- a third party’s medical history, in the case of personal injury claims (arising from liability policies)
- the banking details of insureds and third parties.
An example of a data breach affecting the insurance industry involves NIB. In June 2015, the insurer accidentally uploaded personal details (including telephone numbers and addresses) of its members to its website. Apparently, when users logged onto the website they were able to access each other’s private information. The breach was detected after 329 individuals accessed the website.4
The OAIC and the Australian Securities & Investments Commission (ASIC) have both released publications with suggested strategies for businesses to mitigate the risk of a breach occurring.5 Both organisations have emphasised the importance of having internal policies and procedures that aim to prevent a data breach occurring and appropriately respond to a data breach. These strategies apply to the insurance industry, especially where the AU$3 million turnover threshold is relevant. Businesses are encouraged to review:
- their physical and technical security (for example, password access and use of encryption for soft-copy transfer of data or tamper-proof packaging when physically transporting bulk publications of data)
- employee selection and training practices (ASIC recommends that employees are trained in how to identify and respond to mimicry or phishing, as well as what documentation an employee may remove from the office and under what circumstances)
- service delivery partners (even if the source of a data breach is an agent, an insurer may still be under an obligation to report the breach)
- any previous or systemic data breaches, with a view to learning from past mistakes and improving business practices. listed companies,6 including a number of local insurers.
OPPORTUNITIES FOR INSURERS
Over the last few years there has been a boom in the popularity of cyber insurance policies in response to the ever-increasing number of cybersecurity breaches occurring globally.7 Although cyber insurance is small relative to other areas of insurance, the market is growing rapidly.8 Cyber insurance policies typically provide both first-party and third- party cover in response to a variety of losses, including:
- business interruption
- remediation costs
- third-party claims.
The possibility of significant civil penalties being imposed under the proposed scheme presents an opportunity for the insurance industry. In particular, underwriters and brokers could more actively promote the benefit of cyber insurance policies to the business community. The authors’ review of some of the most popular cyber insurance policies on the market in Australia suggests that they are likely to respond to a civil penalty award made by a court.
In the event that the proposed scheme is introduced, underwriters will need to closely monitor claim developments to ensure that cyber products continue to be priced appropriately. At this stage it is uncertain with what degree of vigilance the OAIC is likely to prosecute claims against businesses in breach of their obligations to report a Serious Data Breach.
The proposed mandatory data breach reporting scheme is part of a larger movement towards a cyber-resilient society. Although it is impossible to prevent all breaches from occurring, it is important that the insurance industry responds to the challenges on the horizon by taking steps to mitigate cyber risk, creating resilient internal processes and adhering to the proposed scheme, when introduced.
The insurance industry is also well placed to be a beneficiary of the proposed scheme, by advocating more strongly the benefit of cyber insurance policies to the Australian business community.