The Australian Government has indicated that it will introduce mandatory data breach notification laws in 2015.
The statement came in the Government’s response to a report by the Parliamentary Joint Committee on Intelligence and Security (PJCIS). The report mainly dealt with Australia’s proposed “data retention” laws, which grants the Government controversial new powers to collect and retain metadata for terrorism and criminal investigation purposes.
One of the recommendations of the PJCIS was that the Government introduce a mandatory data breach notification scheme as a measure to help detect and prevent cyberterrorism and cybercrime. In its response, the Government indicated that it agreed with the recommendation and would consult on draft legislation with a view to introducing a law by the end of 2015.
There is already a mandatory data breach notification proposal, the Privacy Amendment (Privacy Alerts) Bill 2014, before the Australian Senate. It was introduced as a private member’s bill in 2014, but its passage stalled as it lacked Government support. It now appears that the Government will introduce its own legislation.
Mandatory data breach reporting would appear to have substantial support from the Australian public: in 2013, Electronic Frontiers Australia released the results of a survey showing that 96% of Australians supported mandatory reporting, and 85% felt strongly about the need for reporting by the private sector.
Australian businesses have had no shortage of data breach incidents. In 2014, about 11,000 incidents were reported to CERT Australia, the national response team for cyber security issues affecting businesses, including targeted spear phishing, cryptolocker, ransomware and denial-of-service attacks. The Australian Cybercrime Crime Commission recently estimated that cybercrime costs Australia at least AUD$1 billion (HKD$6 billion) a year.
Insurers are hoping that the introduction of mandatory data breach notification laws will be a major driver for Australian businesses to adopt cyberliability insurance products.
Cyberliability policies protect businesses against losses and liabilities associated with the theft or loss of electronic data. Companies have traditionally assumed that these losses would be covered under their general liability policies; but this is no longer a safe assumption. In 2014, the New York Supreme Court held that Sony’s general liability policy did not cover the losses incurred by that company in the 2010 PlayStation Network hacking attack. The decision not only highlighted the inadequacy of general liability policies to cover that kind of incident, but also encouraged many insurers to change their policy wording to expressly exclude cyber attacks.
Cyberliability insurance is already well established in the United States, which has had mandatory data breach notification requirements for more than a decade. The costs involved in notifying authorities and affected individuals of a data breach, while certainly not the only costs associated with a data breach, are both substantial and highly visible to management, and so it is thought that mandatory data breach laws played a major part in the popularity of cyberliability policies in that country. It appears that the introduction of mandatory data breach notification requirements in Australia would provide an incentive for more Australian businesses to consider cyberliability insurance.