Laggard Australian businesses on notice as breach notification, insurance onus ramps up

Many Australian businesses are still unprepared for the legal implications of impending data breach notification laws and will face a surge of security-related litigation as the new laws force rapid reconsideration of longstanding risk-management policies, a lawyer and data-privacy specialist has warned.

The long delays in passing the legislation, which is already in force across the United States and Europe, had left Australia “a long way behind the curve,” Jones Day solicitor Adam Salter told CSO Australia. “I’m quite surprised by that given that we’re normally relatively ahead of the curve and not too far behind it. But it has been something of a political football.”

Normalisation of breach reporting through the overseas experience, however, had taken much of the sting out of the mooted legislation – particularly as well-known corporates such as Kmart Australia and David Jones had recently taken the lead in reporting breaches.

Yet as the legislation neared passage – amidst warnings that it is still too subjective and that consumers won’t be able to cope if they know how many breaches are actually happening – a shift of focus towards “a lot more contentious things” was forcing boards to rapidly revisit their risk profiles and privacy practices in anticipation of a potential flood of litigation.

The breach-notification environment “creates more of a fertile environment for plaintiff law firms to start crafting their approaches,” Salter said. “The language around privacy compliance is a lot more complicated these days. People now have a stronger expectation of privacy – particularly with regard to data breaches and things like credit-card details – and the law is catching up with that.”

Contracts would be a particular area of focus, Salter said, with many companies building in obligations around privacy compliance and handling of personally identifiable information (PII) for their suppliers. Vendors would face class actions and litigation from their corporate customers who would be looking to pursue remedies in the event of a breach.

“You will start to see more litigation arising out of breach of those contractual provisions in B2B or [government to business] contracts,” Salter said. “There will be a lot of technical measures put in place to avoid that liability, and you will see that liability passed through the corporate structure. There will be changes to the way they craft their privacy language, and possibly civil liability between the parties on a vendor who fails to comply – in addition to the penalties in the legislation.”

As Australia continues to roll towards breach-notification legislation, Salter said, much of his advisory work is focused on guiding clients through the creation and establishment of insurance policies to back their cybersecurity efforts. The legal team is also recommending that organisations work hard to ensure internal processes and procedure are compliant with the company privacy policy, as well as reviewing contractual obligations both upstream and downstream.

“A key element to this is training for the appropriate people about what their obligations are under the privacy policy and contracts,” he noted, advising the appointment of a formal privacy officer even in smaller organisations.

“In today’s world, with the Internet and how quickly information can be spread, they need to have very good communications strategies so they are ahead of the curve in controlling the messaging in a business sense.”

Cyber-insurance policies are likely to provide a stopgap measure, with companies like Marsh Australia and QBE Insurance taking an early lead in providing policies to protect cyber breaches and Berkshire Hathaway Specialty Insurance Company this month joining the fray through a cyber-response partnership with Symantec.

Insurers “will be doing a lot more due diligence in relation to the policy holder to understand their risk profile,” Salter explained. “It’s not just a matter of what the customer’s technology is like; it’s also the history of their software or other technology having been hacked; what are the nature and size of their contracts; and who are their customers. That certainly plays into their risk profile from a dollar sense.”

Vendors providing smaller contracts to a lot of companies offer less risk to insurers than large providers “with lots of touchpoints for liability arising out of hacking,” Salter said. “A lot of the work of insurers is working out who’s on the hook.”