Conference Issue 2016

PREVIOUS HOME NEXT

Breach notification 'game changer'?


By Kate Tilley, Editor, Resolve

Mandatory data breach notification (MDBN) may or may not be a game changer for cyber insurance, HWL Ebsworth Lawyers’ Andrew Miers told the AILA conference.

In a presentation adopting the conference theme, he presented both sides of the equation for MDBN.

Underwriters were "champing at the bit" to get MDBN and there was proposed legislation before Federal Parliament. It could be a game changer because increased awareness of the risk made insurance more attractive and create claims data to enable the market to mature.

"But the perceived impact may be over-rated and exaggerated." Well-publicised breaches had put cyber risk "more squarely on the agenda" without MDBN.

"The world has moved on from when the internet was less sophisticated. Cyber hackers were more sophisticated and there was a "massive risk factor". There was an increased regulatory focus on risk management obligations and the need for cyber resilience.

Mr Miers said underwriters had said there was an increasing uptake in cyber policies. But he warned that it may be difficult for the industry to respond to threats like critical infrastructure being controlled in cyberspace.

"Insurers must be part of the risk management approach. There are plenty of opportunities in this new area of risk. Perhaps the game has already changed," he said.

Cyber insurance had emerged in the USA "well before Facebook, Google and Y2K". AIG had introduced a policy in 1997 that covered third party liability from external hacking. It was then expanded to cover first party losses, business interruption, extortion demands and system restoration.

In 2002, California introduced mandatory breach notification and since then 47 US states has introduced MDBN laws.

The cyber insurance market developed as a result and expanded to add new coverages, like breach notification costs, PR consultancy, IT forensics, regulatory costs and penalties and credit monitoring for clients.

Notification laws were a major driver of cyber insurance [in the US] and that’s why it will probably be a game changer in the Australian market, Mr Miers said.

A 2008 Australian Law Reform Commission privacy law review had recommended MDBN; the Office of the Australian Information Commissioner had a voluntary guide recommending notification; and the Financials Services Inquiry had recommended it.

The Labor Federal Government had attempted to introduce MDBN with a 2013 Bill, but it had not passed in the Senate before an election was called.

In 2014, when metadata legislation was proposed, it was seen as a threat to personal privacy.

In December 2015, draft consultation legislation was released and a revised Bill was now proposed. Mr Miers said it was not yet public, but he expected it to be similar to the prior draft.

 
Back to top
 
 

Resolve is the official publication of the Australian Insurance Law Association and
the New Zealand Insurance Law Association.