The number of cyber breaches Australian organisations have endured has increased by 18 per cent the last year. High profile breaches in recent months include the NAB, Australian National University, Canva and Landmark White. Some of these entities have suffering multiple breaches.
Today, a cyber attack or data breach is approached as a “when” issue rather than an “if” proposition and responsible organisations are investing in more robust cyber security systems and processes, and finessing incident response plans for when a breach takes place.
There is however one overlooked area Australian organisations may have misunderstood; many mistakenly believe that the General Data Protection Regulation (GDPR), which came into force in May 2018, applies only to European organisations. That is not the case. The GDPR applies to any organisation – regardless of location – that offers goods or services to, or monitors the behaviour of, European residents. A €110 million GDPR fine was levied recently against international hotel chain Marriott after the personal records of 339 million international guests were hacked. That fine amounts to around 3 per cent of revenues.
Aon’s recently released report compiled in association with law firm DLA Piper, The Price of Data Security, (which you can click to download) that the GDPR has revolutionised data protection and significantly affects how organisations around the world collect, use, manage, protect and share personal data. Penalties for non-compliance are stiff with fines of up to €20 million or 4 per cent of global revenues, whichever is higher.
Any Australian entity which collects, stores or uses personal data of Europeans – be they customers, patients, students, employees – risks severe penalties if they don’t understand and adopt a compliance framework required of GDPR, which includes the protection, storage, handling and ultimately the security of that data.
GDPR fines span the globe – Australian businesses must respond
Any organisation with personal information must keep it safe, but this is even more so if the GDPR applies to the organisation’s processing of personal data. A significant breach of data which can be linked to an individual – including their name, address, email details, photograph, employee ID or similar – must be notified to a relevant European regulator within 72 hours. After that the regulator will decide what, if any, further action needs to be taken. It does not matter where the breach happened – if the breach involves personal data of EU residents, the breach must be notified to a European regulator.
Locally, the first annual report from Australia’s Notifiable Data Breaches scheme reveals that in the 12 months to the end of March 2019, 964 eligible data breaches were reported to the Office of the Australian Information Commissioner (OAIC).
In this environment, where serious cyber breaches are increasing, Australian organisations dealing with European data must comply with GDPR, or potentially face hefty GDPR fines and penalties.
It is critical that Australian businesses operating internationally, or holding European citizen’s data, treat personal data with great care. Reputational damage from a cyber breach in one market can rapidly affect consumer sentiment in another.
At the same time regulators are increasingly taking a more international stance with regard to compliance, which could mean that a multi-jurisdictional breach could incur the same harsh penalties by different regulators around the world.
Consequently, Australian organisations need to urgently review their exposure to GDPR and the opportunity to transfer risk.
The role of cyber insurance
Cyber insurance typically covers civil rather than criminal penalties. Aon’s recent The Price of Data Security report, sets out the legislative landscape in Europe as it pertains to insurance cover for a data breach. Generally, in Australia cyber insurance could extend to GDPR fines where permissible at law.
However, a GDPR fine is only one of many costs associated with a data breach. Other costs can be far more damaging, for example, legal and litigation fees, the expense of regulatory investigations, reduced revenues as a result of business interruption, remediation, public relations, compensation and notification costs – all which could potentially be covered by a robust cyber insurance policy.
It is important to note also that GDPR makes it easier for people who have suffered material or non-material damage (including distress, anxiety and reputational damage) to claim compensation. This injects further potential cost and risk.
Organisations that believe they have suffered a breach need to immediately triage the incident appropriately in order to mitigate the risk of, and quantum of a GDPR fine. The 72-hour GDPR reporting window creates a particularly acute and costly challenge and will often require companies to rely on a professional incident response team comprising digital forensics, lawyers and specialist communications teams skilled in crisis response.
For advice about the best approach to protect your business from a data breach, contact Aon today.