The Federal Government has said it is now “committed to introducing a mandatory data breach notification scheme by the end of 2015”. The enactment of such laws will change the face of cyber exposures in this country, particularly for insurers, and add a new level of compliance costs for Australian organizations.
Whilst voluntary notification of data breaches is encouraged, there is currently no law or provision under the Privacy Actrequiring mandatory reporting.This means that data breaches can and still do “fly under the radar” in this country.
Although we have not yet seen the draft legislation, it is anticipated that the proposed laws will require notification of a breach event not only to the Privacy Commissioner but to affected individuals whose personal and/or confidential information has been disclosed in an unauthorised way.
It is reasonable to assume that, just like the United States (where mandatory notification laws have been in force for the past decade), insureds caught by this legislation will have little choice but to accommodate the likely increased regulatory and compliance burden, and find ways to mitigate their increased cyber risk exposures as these events become public (in some cases, for the very first time).
From all reports, those already writing cyber coverage in the Australian market are experiencing great returns for the financial year just finished.But if the government is true to its word, insurers and insurance brokers should ready themselves for a steady increase in demand for cyber cover, given the legal changes that are now on the drawing board.