Long considered of critical importance only to data intensive business models, the changes to the Privacy Act which came into effect on 12 March 2014 may not have received the appropriate degree of attention in the broader corporate sphere.
Our article ‘Imminent changes to the Privacy Act – Why you need to action now’ published on 18 February 2014 outlines the key issues applying to businesses from a wide range of industries.
The lack of attention given to the new privacy regime is particularly pronounced in the area of insurance.
In this article we consider some of the changes introduced by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) (Act) which an organisation should consider within the context of the adequacy or otherwise of their insurance arrangements.
Key Changes to Privacy Legislation
From an insurance perspective, the significant changes arising under the Act are:
- the Office of the Australian Information Commissioner (formerly the Privacy Commissioner) (Commissioner) has significant new powers. The Commissioner has power to:
- conduct ‘own motion’ investigations and audits
- conduct assessments of privacy performance for both Australian government agencies and businesses
- accept enforceable undertakings
- seek civil penalties in the case of serious or repeated breaches of privacy
- commence proceedings in the Federal Court or Federal Magistrates Court
- develop binding privacy codes which are in the public interest, and
- there is a new civil penalty regime for breach of the certain parts of the Act. These relate primarily to breaches of the credit reporting provisions, but there is a civil penalty for serious or repeated privacy infringements. The penalty is $340,000 for individuals, and $1,700,000 for bodies corporate. There is no guidance to date on what constitutes a ‘serious’ breach.
Privacy and your insurance coverage
There are a variety of different insurance policies which provide cover for statutory prosecutions commenced by a regulatory authority empowered to take such action. The office of Commissioner should satisfy the standard definition of a statutory authority.
There are fewer policies which provide cover for investigations commenced by a statutory authority, with cover more often limited to the preparation and attendance of individuals at a statutory inquiry or investigation. Cover may not always apply to the corporate entity.
Only a limited number of insurance policies provide cover for statutory fines and penalties.
These types of insurance policies may include Directors & Officers Liability (D&O), Management Liability (Management) Professional Indemnity (PI) or Statutory Liability (Stat Liability).
Many of the insurance policies which may provide some element of cover to respond to the new Privacy legislative regime may also impose a number of hurdles which must be satisfied before cover is triggered and/or make cover entirely discretionary depending upon the likelihood of successfully defending a prosecution.
For these reasons, we suggest a review of your current insurance arrangements to gain an understanding of what, if any, insurance cover may be available to respond to two key issues arising under the new Privacy legislative regime highlighted above.
Other key issues
In addition to the type and extent of any insurance policy coverage, the following additional issues are also important to consider.
Given the obligations imposed on individuals under the Act, and particularly within the context of the potential for individual fines to be imposed, it is important that the scope of any insurance coverage define the ‘insured persons’ to encompass not only a corporate entity’s directors and officers but also senior managers and employees who fulfil roles which may impose obligations under the Act.
While many D&O, Management, PO, or Stat Liability policies would include a reasonably broad definition of ‘insured person’ as standard, the standard D&O policy may not extend to include employees. In most instances, many of these policies will not include cover for consultants, contractors, subcontractors or agents engaged to perform work for or on behalf of a corporate entity.
It will therefore be important to consider the category of persons for whom a corporate entity may be liable to ensure appropriate insurance cover is in place.
In the event the Commissioner pursues a prosecution under the Act, in accordance with the definition of ‘claim’ under most of the types of insurance policies mentioned above, insurance cover should be available. It will however be important to consider if cover is provided for both the corporate entity and ‘insured person’.
Where an ‘insured person’ is called to provide documents or information or to appear before any ‘formal investigation’ commenced by a regulatory authority, including the Commissioner, empowered under the Act, cover should be provided under the substantive part of many of the insurance policies indicated above or under specific policy extensions such as that for Legal Representation Expenses or Inquiry Costs.
Each of these same insurance policies may not respond to the same extent for the corporate entity.
In light of the powers held by the Commissioner under the new Privacy legislative regime, it is important for companies and individuals to assess the type and extent of insurance coverage which may be available to protect their interests in the event of investigation and/or prosecution.
Any assessment should include consideration of:
- the type of insurance policies currently in place
- whether cover is provided for the corporate entity and the various categories of persons to whom cover is extended
- what, if any cover, is available and to whom in the event of the necessity to appear or provide documents or information before any formal investigation arising under the new Privacy laws
- what, if any cover, is available and to whom in the event of a prosecution by way of legal proceedings pursued by the Commissioner
- what, if any, cover is provided for fines and penalties
- the adequacy of any limit of liability available under any insurance cover if multiple parties interests are to be protected and defence costs incurred within, rather than in addition to such limit, and
- what policy will respond when, or if cover is potentially denied should a company hold a number of insurance policies i.e. D&O, Management, PI and Stat Liability under which cover may be available.
If you require assistance or guidance with such an assessment, please contact us.
Insurance industry response
As with any significant new legislative regime, the insurance industry typically responds in some way to expand existing insurance policy coverage or create standalone bespoke insurance products.
The new Privacy legislative regime has prompted such a response with a range of policy enhancements and new insurance products available in the market. The utility of these policies, particularly within the context of the other insurance policies which may already be available, is questionable.
Where to from here?
The Act gives effect to the Federal Government’s first stage response to the Australian Law Reform Commission Privacy Law Review (released in 2008). The proposed second stage response, for which there is currently no time frame, is expected to deal with the issues of whether there should be a statutory tort of invasion of privacy, and/or mandatory data breach notification regime.
These further issues will be significant to the coverage afforded by insurance policies as they may give rise to a change in the litigation landscape and have financial implications for any corporate entity and/or individual.
We recommend organisations conduct a review of their current insurance arrangements to understand what, if any, cover will be available to respond to the issues arising under the Privacy legislative regime.