Insurance + Risk Services

Mandatory Data Breach Notification laws: Tips to protect your business

22 February, 2018 saw the Australian Government enact the Notifiable Data Breaches (NDB) scheme, requiring any organisation affected by a serious data breach to notify all individuals whose information may have been compromised. Non-compliance may result in heavy fines and penalties being imposed on both businesses and individual directors.

This article covers the full impact this new legislation can have on your engineering business, and what you can do to ensure you are protected.

Note: Some information in this article has been generously provided by leading Australian IT specialists, Surety[IT]

Data Breach Notification legislation – will your business be affected?

If your turnover is more than $3 million per year and are you governed by the Privacy Act 1998 (Cth.), or if you are a smaller engineering business handling sensitive information, then this new legislation can impact your business. The bill came into effect on February 22, 2018.

For more information about how to determine whether this applies to your business please refer to the OIAC (Office of the Australian Information Commissioner) website here:

What is the new law?

This legislation means that businesses who discover they have been breached, or who have lost data, will need to report the incident to the OAIC Privacy Commissioner as well as notifying affected customers as soon as they become aware of the breach.

The notification must include a description of the data breach, what kind of information it was, and recommendations on how customers should respond to the security incident.

What’s the impact of not reporting it?

Any business that fails to report a data breach can face fines of up to $360,000 for individuals and $2.1 million for businesses. Given the potential fines and penalties involved, this is a legislation every organisation, large or small, must take seriously.

What is classed as a notifiable data breach in the law?

The law considers a breach to have occurred when:

Data is accessed by an unauthorised entity, and / or disclosure or loss of customer information held by a business generates a real risk of serious harm to individuals involved.

‘Serious harm’ can mean physical, psychological, emotional, economic and financial harm, in addition to reputational damage.

Data breaches are not limited to malicious actions, such as theft or hacking but can also come from internal errors or process failures that cause accidental loss or disclosure of information.

What type of data and where?

The legislation applies to anything from personal details, medical records, financial information, credit reporting information, tax file number information etc. held on any device including mobiles, USB keys, hard drives, company networks or paper records.  The legislation has a very broad scope.

Here’s a few examples of where the legislation would apply:–

  • A mobile device containing company information is lost and there is no way of managing it remotely or ensuring that it hasn’t been accessed.
  • There is unauthorised access to a spreadsheet containing customer financial information.
  • A member of staff mistakenly emails the information of one individual to another individual.
  • A member of staff takes personal information of customers.
  • A contractor working on a database containing customer information takes a copy on their laptop and has their laptop stolen.
  • An IT staff member finds malicious software on a computer that computer stored confidential information.

What harm could result from a breach?

  • Identity theft
  • Financial loss
  • Threat to physical safety
  • Threat to emotional wellbeing
  • Loss of business / business interruption
  • Reputational damage
  • Bullying
  • Loss of public trust
  • Loss of assets
  • Financial exposure
  • Regulatory penalties
  • Extortion
  • Legal liability

What you need to do now

Now the law has been introduced, it is critical that your engineering business has carefully planned strategies, as well as policies and procedures to:

  1. Reduce the risk of a data breach
  2. Swiftly manage a data breach should one occur
  3. Minimise the severity and impact of a data breach on your business

Some areas to address:

  • Take out a Cyber Insurance policy to protect against significant financial loss
  • Review your current data security strategy
  • Develop a cyber security strategy that just doesn’t involve IT
  • Educate your staff
  • Develop a data breach management strategy

To keep updated with implementation of the Notifiable Data Breaches scheme, head to the OAIC’s website

Cyber Insurance can provide financial protection for you and your engineering business

While IT strategies can help prevent data breaches, in this day and age, there is no foolproof method to guarantee total security of your data. What you CAN do however is take out a Cyber Liability Insurance policy. A Cyber Insurance policy can protect against the financial consequences of a data breach in a number of ways:

  • Fines & penalties – Financial compensation to recoup costs that result from a security breach – including regulatory fines – which can amount to $2.1 million.
  • Third party liability – Compensation for clients and customers who suffer financially or emotionally as a result of stolen data.
  • Legal and forensic investigation expenses – Extends to include expenses for legal counsel and representation, as well as and costs forensic investigation.
  • Reputational repair – Covers for the cost of professional consultants to assist in repairing damage to your company’s brand and reputation.

To ask for your Cyber Liability insurance quote, and to understand how it can protect your company’s reputation and bottom line, contact your EngInsure Insurance Adviser.

1300 854 251 |

This insight article is not intended to be personal advice and you should not rely on it as a substitute for any form of personal advice. Please contact Whitbread Associates Pty Ltd ABN 69 005 490 228 License Number: 229092 trading as EngInsure Insurance & Risk Services for further information or refer to our website.