Big cyber breach fines approaching

by Resolve Editor Kate Tilley

A cyber insurance specialist has warned that changes to Australia’s Privacy Act will soon dramatically increase fines and penalties for cyber breaches.

Colin Pausey, chief operating officer at Australia’s only specialist cyber insurance underwriting agency, Emergence Insurance, told the AILA Queensland Insurance Intensive that fines and penalties in Australia were “out of kilter” with the rest of the world. “The Privacy Act 1988 was enacted before the advent of the digital age.”

The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 was passed in December 2022, raising penalties from a maximum of $300,000 for individuals and $2.2 million for corporations to $2.5 million for individuals and, for body corporates, the greater of:

• $50 million
• 3X the value of the benefit obtained from a “serious or repeated interference with privacy”
• or, if that can’t be determined, 30% of the organisation’s adjusted turnover for the “relevant period”.

Mr Pausey said the new regime also expands the Privacy Act’s territorial powers, strengthens the notifiable data breach scheme, introduces information-sharing powers between government bodies, and enhances the Office of the Australian Information Commissioner’s (OAIC) ability to investigate privacy breaches.

OAIC will soon have privacy and freedom of information commissioners, in addition to the information commissioner, because “the government realised the issues were too diverse for the current structure”.

Review report

It is anticipated the Act will be further strengthened in line with 116 proposals in a Privacy Act review report, released on 16 February 2023.

Mr Pausey said the aim “is to ensure the Act is adequate to protect Australia’s privacy in the digital age”.

“I have heard no compelling argument against any of the proposals other than the Small Business Council and its allies arguing against changes to the small business exemption.” Currently businesses with less than $3 million annual turnover are generally exempt from the Act, with a few exceptions, like those dealing with tax file numbers and credit or health information.

With more than two million businesses in Australia likely to become subject to the second tranche of revisions to the Act, Emergence is now considering whether its current policy is fit for purpose and affordable for small businesses.

Mr Pausey admits statistics around cyber are rubbery, but says they show the average small business spends less than $500 a year on cyber security. “We’re targeting a wording that will cost less than $400 a year but provide meaningful cover for a breach.”

Second tranche

He anticipates a rise in class actions for privacy breaches when the second tranche of Privacy Act changes is implemented.

Australia also is likely to adopt a broader definition of personal information that mirrors Europe’s General Data Protection Regulation (GDPR) and introduce a statutory tort of privacy.

Another significant proposed amendment, in line with GDPR and most other jurisdictions, is reducing the timeframe to notify OAIC from 30 days to 72 hours. “I don’t think anyone needs 30 days to assess whether a data breach is likely to result in serious harm.”

When faced with a ransomware claim, Mr Pausey said most uninsured companies, with no specialist team to assist them, floundered and failed to communicate effectively.

“Insurers will reimburse the cost of a ransom, but lawyers and insurers should never make the decision to pay the ransom. That is a decision only the company should make.” The legality of paying a cyber ransomware demand probably depended on whether there were potential breaches of money laundering or terrorism funding legislation and the availability of the defence of duress.

Mr Pausey said kidnap & ransom insurance had been available for more than 50 years.

Complex demands

He said it was rarely necessary to pay the amount initially demanded. “Threat actors negotiate a ransom but, if the demand is not met, unless a company has effective back-ups, it may struggle to continue operating.”

Mr Pausey said ransomware demands could be complex and often included:

• A guarantee to unencrypt data if the ransom is paid
• Warnings against seeking police assistance
• Requests for insureds to anonymously advise their insurance policy limits so the demand can be adjusted accordingly.

Data mining

Mr Pausey said data mining was a crucial part of a notifiable data breach. “You have to know what data was involved so you can assess the likelihood of serious harm and know who to notify. You have to know what individual information was affected. Sometimes the data mining or e-discovery process is one of the most expensive parts of a cyber claim.”

When managing a claim, the objective was to keep the OAIC promptly informed with the objective to get them to close their file without launching an investigation. “If you set out a process and act in a timely way, OAIC will generally work with you.”

Mr Pausey said cybersecurity was really important but not rocket science. “It’s not difficult. The Federal Government’s Australian Cyber Security Centre has published what’s called the essential eight.”

He recommends, at the very least:

• Backups be stored offline and regularly tested
• Using multifactor authentication
• Awareness training
• Implementing the principle of least privilege – giving people only the level of access required to do their job
• Patching regularly and often.

“If you don’t tick the obvious boxes, and do more if you can, it may be difficult or expensive to buy cyber insurance. Fundamentally insurance improves cyber security because we generally don’t insure a risk unless some cyber security protocols are in place.

“But insurance is only part of the solution. Anything a company can do to make itself cyber fit is really important.”

Mr Pausey said cyber was one of the most important insurance products in the marketplace and “every company needs it”.