With mandatory data breach notification legislation shortly coming into effect, timing will become critical when it comes to responding to incidents.
Come 22 February 2018, organisations and agencies subject to the Privacy Act 1988 will be required to conduct an assessment of whether an eligible data breach has occurred within 30 days of becoming aware that there are reasonable grounds to suspect that there may have been an eligible data breach, and if an organisation or agency has reasonable grounds to believe that there has been an eligible data breach, it must notify as soon as practicable thereafter.
Our top five tips for responding to data breach incidents are:
- Develop and test internal response processes to ensure that potentially notifiable incidents are identified and reported to the legal / risk management function as early as possible. Valuable time can be lost in this initial phase.
- Seek the assistance of external legal counsel and other service providers, where appropriate, to limit the potential exposure following an incident. External providers can advise organisations on whether remedial action can be taken to avoid the risk of harm from eventuating, which may remove the need to notify affected individuals and the Privacy Commissioner.
- Although affected individuals and the Privacy Commissioner must be notified where required, organisations and agencies should not adopt a strategy of notifying all incidents as a matter of course. This is not the intention of the legislation and will cause notification fatigue. On the other hand, organisations and agencies should have a sound legal basis for not notifying, after having received external legal advice where appropriate.
- Where an organisation or agency chooses to notify, the notification campaign should be well structured to monitor post notification liability risk from affected individuals, stakeholders and regulators. Organisations and agencies should manage their ongoing regulatory and claims risk post notification.
- Notify insurers as soon as possible and obtain consent from insurers before taking any key steps or incurring costs. This will ensure that cover is not jeopardised due to late notification.
We are proud to be hosting the InnovationAus.com Cyber Insurance Forum in Sydney on 21 September 2017, where John Moran, Partner at Norton Rose Fulbright, will be speaking alongside Christopher Mackinnon, Lloyds of London general representative Australia and Sandra Ragg, Assistant Secretary, Cyber Policy, Department of the Prime Minister and Cabinet.
This blog post is an extract from an article published by InnovationAus.com based on an interview with John Moran. You can read the full article – Cyber Insurance gets a Rocket – here.