Businesses are still not prepared for the rollout of mandatory data breach notification laws later this month, an expert has said.
With the legislation set to take effect from February 22, Fergus Brooks,
Aon Australia’s national practice leader for cyber risk, said that businesses across the spectrum remain unprepared, but problems are heightened in the SME area.
“I don’t think companies are prepared and I don’t think companies really understand,” Brooks told Insurance Business. “The top part of the pyramid is probably fairly well aware and they know what they are going to do, but as you get further and further down the pyramid, I think there is less understanding and people are less prepared.”
The legislation carriers with it penalties of $360,000 for individuals and $1.8 million for organisations that fail to comply, and speculation remains as to how strictly the Privacy Commissioner will enforce fines. Brooks believes that it makes sense for the regulator to “flex their muscles” on those who fail to meet the standards and make an example of businesses who have ignored the legislative changes.
While not all businesses will be subject to mandatory data breach notification requirements, Brooks said it is important that clients pay attention to the intricacies of the legislation. Though the majority of businesses governed by the changes will have more than $3 million in turnover and fall under the remit of existing privacy legislation, others face a growing risk.
“What a lot of companies, we have found, are not aware of is if you deal with healthcare records it doesn’t matter what your turnover is, and I don’t think that has been particularly clear – it is buried in the legislation,” Brooks continued.
“There are other circumstances out there that make you eligible as well. If you trade in people’s information, for example, which puts a lot of smaller businesses, certainly in the .com type space who shift information around between each other, mapping apps and things like that, they are also part of it because they are profiting in the trade of information.”
For clients who have so far failed to act on the changes, Brooks said that making a plan – even if it is limited to one page – is the best first step.
“What we have seen is it is what you do in those few minutes or hours after a data breach that make all the difference and if you don’t have a plan, you are going to mess that up,” Brooks said.
Related stories:
How to place difficult risks
“The question is: do we want to cover clients?”