The Law

The Privacy Act 1988 is an Australian law designed to protect individuals' privacy and regulate how personal information is handled by government agencies and certain private sector organizations. The penalties for serious or repeated breaches of privacy are significant. For serious or repeated interferences with privacy, the maximum penalties can be the greater of:

• AUD $50 million,
• Three times the value of the benefit obtained from the breach, or
• 30% of the company's adjusted turnover during the breach period if the benefit cannot be determined.

Scale of the problem

The OAIC, which is the primary privacy regulator in Australia, has significantly ramped up its enforcement activities in recent years. Here are some key points:

• Increased Penalties: As per above, the OAIC now has the authority to impose substantial penalties for serious or repeated privacy breaches.
• Compliance Notices and Investigations: The OAIC has been actively issuing compliance notices and conducting investigations into organisations that fail to meet their privacy obligations.
• High-Profile Cases: There have been several high-profile enforcement actions, including significant fines and orders for corrective actions against companies for data breaches and privacy violations.

Exposure Mitigation

To mitigate the risk of privacy, organisations should consider implementation of the following in conjunction with their wider security programme and the advice received from their IT security adviser:

• Appoint someone with overall responsibility for privacy. This role is often referred to as Privacy Officer.
• Utilise multi-factor authentication (MFA): Add an extra layer of security to your remote access points by requiring more than one form of verification to access them.
• Maintain regular backups: Ensure your backup strategy will allow you to quickly resume activities after a privacy incident to minimize downtime and disruption.
• Educate and train employees: Provide ongoing cybersecurity training to help staff recognize and respond to threats such as phishing and social engineering attacks.
• Maintain up-to-date software and security patches: Regularly update all software, including operating systems and security tools, to close known vulnerabilities and protect against emerging threats.
• Maintain up-to-date operating systems: Ensure that your operating system (e.g. Windows) is kept up to date to protect your network from new threats.

Insurance Solution

Regulatory Fines and Penalties and Defence Expenses, which the Insured is legally obligated to pay as a direct result of a Third Party Claim arising from a Security Breach or Privacy Breach.