National Data Breach Scheme disclosure law will hopefully lift Australia’s cyber security game
Australia will kick off the cyber security year with a bang when its new data breach disclosure legislation comes into effect on 22nd February 2018.
The mandatory data breach notification law underscores Australia’s recent efforts to lift its cyber security game both locally and internationally, bringing the country into line with other efforts, such as the European Union’s General Data Protection Regulation (GDPR).
Under the Australian legislation, organisations with a turnover of more than A$3m, as well as Commonwealth government agencies, must notify the privacy commissioner and individuals affected by a data breach.
The new laws are enforceable from 22nd February and civil penalties for not complying range up to A$360,000 for individuals and A$1.8m for corporate bodies.
The legislation has already raised awareness of the need for cyber risk insurance, which has become the fastest growing commercial segment of Australia’s insurance market.
The new rules are also set to change organisations’ attitudes towards how they report cyber attacks and what they regard as a cyber attack.
In a recent report from the auditor general of New South Wales (NSW), Australia’s biggest state economy, the 39 largest NSW government agencies were required to divulge their cyber attack exposure over the last financial year.
One-third of NSW government agencies reported no cyber attacks at all during that period, which local industry observers described as “ridiculous’’, noting that it was not credible that an agency would have zero attacks over a 12-month period.
Estimates of losses to the Australian economy from cyber attacks vary. A briefing paper from the federal government’s Department of Prime Minister and Cabinet noted that Australians lose about A$1bn a year to cyber crime. But because worldwide losses from cyber attacks are about 1% of GDP, the real impact of cyber crime on Australia could be around A$17bn a year.
Layer 8 Security is helping many organisations to become prepared for the legislation changes and to reduce their exposure and risk profile. This has added benefits in that, reductions in risk profiles assists these organisations in receiving lower premiums for cyber insurance.
