There is a growing trend, domestically and abroad, towards legislators and regulators taking a more active role in setting data security standards and holding businesses to a greater level of scrutiny in respect of data breaches.
This trend is clear from recent events in Australia. In April 2015 the Federal Government announced that it is committed to enacting mandatory data notification laws. Just last week on 8 July 2015, the Prime Minister convened a meeting of chief executives and chairs of a number of Australia’s top listed companies and other business leaders to discuss cyber security issues, including the threats posed to corporations. In addition, a growing number of Australian regulators are demonstrating an interest in monitoring cyber risk and data breach issues.
Australian Regulatory Convergence
Traditionally, issues of data privacy and security have been regulated in Australia under the purview of the Australian Information Commissioner, through the Australian Privacy Commissioner as part of the voluntary data breach notification regime. However, there is increasing regulatory convergence in the cyber risk and data breach space with a number of regulatory agencies taking an active role. For example:
- In 2014, the Australian Cyber Security Centre (ACSC) was established by the Federal Government. The ACSC brings together existing cyber security capabilities across a number of organisations, including the Attorney-General’s Department and the Australian Federal Police. The ACSC has a mandate to raise awareness of cyber security, report on the nature and extent of cyber threats and to encourage reporting of cyber security incidents.
- In March 2015, the Australian Securities & Investments Commission (ASIC) issued a “Cyber resilience: Health check” report, with the stated purpose of helping ASIC’s regulated population increase their awareness of cyber risks. ASIC’s report highlights the major systemic risk that cyber-attacks pose to the financial services industry including because of the electronic linkages in the financial system, including between market participants and financial market infrastructure.
- In 2013, the Australian Prudential Regulation Authority (APRA) issued Prudential Practice Guide CPG 235 Managing Data Risk (CPG 235), a cross-industry guideline that applies to all authorised deposit-taking institutions (ADIs), general and life insurance companies and superannuation funds regulated by APRA. The APRA CPG 235 guidance document is designed to assist institutions in managing data and complying with APRA’s prudential requirements.
Step up in regulatory activity abroad – US regulator reaches record $25 million settlement
Looking abroad, jurisdictions that already have data security and mandatory data breach notification laws in place are imposing harsher penalties on businesses.
In April 2015, the US Federal Communications Commission (FCC), entered into a $25 million settlement with AT&T Services Inc, the second largest cellular carrier in the US, to resolve an investigation into consumer data security breaches.
The settlement represents the largest data security penalty levied by the FCC to date. The data breaches in question occurred in 2013 and 2014 when a small number of employees at AT&T call centres in Mexico were paid by unauthorised persons believed to be trafficking stolen smartphones to access customer information that could be used to unlock handsets. The breach resulted in unauthorised disclosure of almost 280,000 customer names, Social Security information and account-related data.
Imperative for assessment of Cyber-risks and jurisdictional scope of any insurance coverage
In an increasingly globalised information economy, it is important for Australian businesses that may have interests or operations offshore to be alive to international developments in cyber security regulation and enforcement.
As outlined by the US case example above, companies need to give consideration to cyber-crime risk exposure in all countries in which they operate. This risk assessment should extend to consideration of the jurisdictional scope of any existing or prospective insurance coverage, including any specific cyber-liability policies, that may operate to mitigate and manage cyber-liability risks.