Mandatory data breach legislation comes into effect February and has already put a rocket under the local market in cyber security insurance as well as supporting legal services.
Earlier this year, the Insurance Council of Australia said the local cyber insurance market had been growing more quickly than any other commercial risk market.
“Cyber-insurance is recognised as the fastest growing commercial segment of the Australian market,” an ICA spokesperson told InnovationAus.com back in May.
Under the legislation that activates in February, organisations and Commonwealth Government agencies must notify the Australian Privacy Commissioner as well as affected individuals affected or at risk from the breach.
Civil penalties for not complying range up to $360,000 for individuals and $1.8 million for bodies corporate.
The pace of the local cyber insurance market has been ramping up. Last November, global insurance house Lloyds said demand for cyber insurance in Australia had increased by 168-fold in the past two years.
Also pushing ahead is demand for the legal services that wrap around cyber risk insurance.
“Over the coming months and into the new mandatory reporting regime, the demand for legal services will undoubtedly increase and firms will seek to capitalise on that,” Norton Rose Fulbright partner John Moran told InnovationAus.com.
Mr Moran said there was increasing demand for legal firms to act as ‘breach coaches’ who step in to support organisations going through the pain of being blackmailed by ransomware or having leaked client details all over the public internet.
“The first 24 to 72 hours are crucial,” says Mr Moran. “As breach coach, our role is to help organisations assess the scope and nature of the incident and plan out the incident response.
“Typically, this involves understanding the internal capabilities of an organisation and identifying where external assistance is required from legal or other vendors (such as IT forensic or public relations) and assisting with the onboarding process,” he said.
“The legal issues depend on whether the incident is a network interruption event such as DDOS or a ransomware attack or a data breach event. In the former, the legal issues are narrower (although typically include ‘whether to pay the ransom demand’) whereas in the latter, the legal issues are more complex and can span a greater time period.
“As breach coach, legal counsel will advise on whether an organisation has obligations to notify stakeholders including affected individuals, regulators and law enforcement of the incident, and how to coordinate the notification campaign.
“As most incidents are caused by a third-party vendor such as an IT service provider, there are often tricky relationship and contractual issues to navigate. As breach coach, we assist organisations to manage this process to ensure that the vendor provides assistance. while also protecting any rights of recovery against that vendor.”
Mr Moran will be speaking at the InnovationAus.com Cyber Insurance forum in Sydney on September 21 along with a range of other guests including Lloyds of London general representative Australia Christopher Mackinnon and special cyber security advisor to the Prime Minister, Alastair MacGibbon.
Mr Moran says timing is all when a data breach comes down after the mandatory reporting rules come in February.
“Timing is critical,” he says. “Organisations and agencies will be required to conduct an assessment of whether an eligible data breach has occurred within 30 days of becoming aware that there are reasonable grounds to suspect that there may have been an eligible data breach, and if an organisation or agency has reasonable grounds to believe that there has been an eligible data breach, they must notify as soon as practicable thereafter.”
His top five tips for responding to a breach are:
- Develop and test an internal response process to ensure that potentially notifiable incidents are identified and reporting to the legal / risk management function as early as possible. Valuable time can be lost in the initial phase.
- Seek the assistance of external legal counsel and other vendors, where appropriate, to limit an organisation’s operational disruption when responding to an incident. Vendors can advise organisations on whether remedial action can be taken to avoid the risk of harm from eventuating, which may remove the need to notify.
- Although organisations and agencies must notify where required, organisations and agencies should not adopt a strategy of notifying all incidents as a matter of course. This is not the intention of the legislation and will cause notification fatigue. On the other hand, ensure that you have a sound legal basis for not notifying, after having received external legal advice where appropriate.
- Where an organisation or agency chooses to notify external stakeholders, the notification campaign should be well structured to monitor post notification risk from affected individuals and regulators. This ensures the organisation manages the ongoing regulatory and claims risk.
- Notify insurers as soon as possible and where possible, obtain consent from insurers before taking any key steps or incurring costs. This will ensure that cover is not jeopardised due to late notification.