The Law

The Privacy Act, including Notifiable Data Breach requirements, applies to private sector organisations with an annual turnover of A$ 3 million or more, however there are certain types of businesses with less than $3 million in annual turnover that are not exempt from the Privacy Act. These include health service providers, businesses that hold tax file numbers and credit reporting bodies.

Scale of the problem

Australia experienced a significant surge in data breaches in 2024, with 9% more privacy breaches reported at June 2024, in comparison to the previous six months. This increase highlights growing cybersecurity challenges across various sectors. The health sector and financial services were two of the most affected industries. Malicious attacks, particularly cyber incidents, accounted for 67% of breaches, while human error contributed to 30%. The MediSecure breach, which affected 12.9 million Australians, stands out as the largest since Notifiable Data breach legislation came into effect. In response, the OAIC is advocating for stronger cybersecurity measures and stricter enforcement of privacy regulations.

*Notifiable Date Breaches Report, June 2024

Exposure Mitigation

To mitigate the risk of privacy breaches, organisations should consider implementation of the following in conjunction with their wider security programme and the advice received from their IT security adviser:

• Utilise multi-factor authentication (MFA): Add an extra layer of security to your remote access points by requiring more than one form of verification to access them.
• Maintain regular backups: Ensure your backup strategy will allow you to quickly resume activities after a privacy incident to minimize downtime and disruption.
• Educate and train employees: Provide ongoing cybersecurity training to help staff recognize and respond to threats such as phishing and social engineering attacks.
• Maintain up-to-date software and security patches: Regularly update all software, including operating systems and security tools, to close known vulnerabilities and protect against emerging threats.
• Maintain up-to-date operating systems: Ensure that your operating system (e.g. Windows) is kept up to date to protect your network from new threats.

Insurance solution

Incident Response Expenses incurred as a direct result of a Security Breach or Privacy Breach. Reasonable costs and expenses in responding to a Security Breach or Privacy Breach that affects the Insured directly or in responding to a Security Breach or Privacy Breach at an Outsource Service Provider, that affects the Insured, being the reasonable:

a) fees charged by the Incident Response Team to provide services due to an actual, suspected or alleged Security Breach or Privacy Breach;

b) costs of an external IT forensic company to determine the cause, scope and extent of a Security Breach that impacts the Computer System operated by the Insured or to mitigate any ongoing harm to the Computer System operated by the Insured;

c) expenses incurred to restore or recreate Digital Assets that are stored on the Computer System operated by the Insured. If it is determined that Digital Assets that are stored on the Computer System operated by the Insured cannot be restored or recreated, the Insurer will only reimburse the Insured’s costs and expenses incurred up to the date of such determination.

d) costs of an external IT forensic company to mitigate Business Interruption Loss;

e) costs and expenses of a legal firm to determine any actions necessary to comply with Privacy Regulations;

f) costs and expenses to notify individuals in compliance with Privacy Regulations;

g) costs of setting up a telephone call centre to support notified individuals and to provide credit file monitoring services and identity theft assistance, for a maximum of 12 months; and

h) crisis communication expenses.