Australian organisations are becoming increasingly targeted by 'aggressive' cyber litigation, and may be on the increase with Australia's upcoming mandatory data breach reporting requirements, says law firm Jones Day.
Adam Salter, one of Jones Day's Cybersecurity, Privacy & Data Protection partners, believes that the increase in hacking and the upcoming breach requirement laws, businesses must start getting ready for the mandatory compliance, as the Bill is currently before parliament and seems to have bi-partisan support.
“Based on our experience in other jurisdictions that have introduced mandatory data breach notification, such as the U.S. and the EU, companies that are not adequately prepared are at greater risk of being sued by their corporate customers (for breach of privacy obligations embedded in their customer contracts) and by consumer customers,” Salter says.
Alastair MacGibbon, the Prime Minister's Special Adviser on Cybersecurity, says that complacency is not an option for anyone in the cyber risk war.
“The Australian government recognises that we must lead by example when it comes to detecting, deterring and responding to cyber threats and risks. But we cannot do this in isolation. It is absolutely critical we partner with and have the support of businesses to drive and implement the initiatives we outlined in our Cyber Security Strategy. Strong cyber defences have much wider ranging implications than most people realise – it has huge benefits to our economy, improves social opportunities of connecting online and boosts our national prosperity," says MacGibbon.
In addition, Mauricio Perez, a New York based Jones Day's Cybersecurity, Privacy & Data Protection partner, says the United States has seen many cases of private class actions and government enforcement since mandatory data breach notification was implemented.
“Data breach notification has the positive effect of providing due warning to potentially affected individuals to enable them to take appropriate steps to guard against identify theft, and other potential harms. Breach notification also means that cyber breaches could now be very public events that can result in private litigation, reputation and brand harm, and lead to governmental investigations, thereby increasing the legal risks to the reporting business," Paez says.
Eddie Sheehy, cybersecurity CEO of Nuix, says data protection must involve an 'holistic' approach, bringing in stakeholders across all organisational departments.
“Building a culture of security in an organisation must be a top priority for executives, starting with an understanding of where the crown jewels are kept and then having a strategy in place to protect them from insider threats," says Sheehy.
How how do Australian organisations comply with data breach requirements? Salter says that a review and improvement of data security, policies and guidelines is the first step, making sure that there are systems to deal with issuing data breach reports to customers and authorities. This also decreases litigation risks, however offshore data and cloud storage could still be issues.
“In particular, businesses should review (or if not already in place develop) risk management and compliance policies and procedures to both prevent data breaches and deal with them, in the unfortunate but increasingly likely event that they occur,” Salter concludes.