Data breach law under review

A potential amendment of Australian privacy law could result in mandatory notification of serious data breaches, pushing the rationale for cyber insurance into the realm of legal obligation. 

The Australian government will be taking submissions of public comment on the draft bill to amend the Privacy Act 1988 to include serious data breach notification. Submissions will be taken until March, when legislation will be introduced to Parliament.

The bill would require agencies and businesses subject to the Privacy Act 1988 to report serious data breaches to the national regulator and affected individuals, including customers.

A serious data breach, under the intention of the bill, is an unauthorised access to, or an unauthorised disclosure of, information which ‘will result in a real risk of serious harm’ to any of the affected individuals, or is ‘likely’ to result in unauthorised access the information.

Considering the broad scope of cyber crime within Australia, the new legislation could be a real boon for insurance brokers.

NIBA CEO Dallas Booths says that brokers may need to consider discussing the change to legislation with their clients, in the event that the bill is passed.

“NIBA will keep members informed about the passage of these proposals,” Booth says.  

“If passed by Parliament, we believe brokers should discuss this matter with their clients, and ensure clients are aware of the potential obligations and costs associated with a data breach and the availability of insurance to cover those costs.”

On a global scale, Lloyd’s of London have written to major brokerages seeking common data relating to cyber breaches with the intention of tracking exposures.

The insurer announced that a set of common core data requirements for cyber risks has been agreed upon through its collaboration with risk modelling firms AIR Worldwide and RMS with the Cambridge Centre of Risk Studies.

Collaborators have agreed to highlight common elements of data risk, agreeing to use similar terminology and precise definitions, with their data schemes due for publication at the end of January.

Some of the data requirements include commonality in collection of geographic information on insured companies, standard Cyber Peril Codes, agreement on key indicators of cyber vulnerability, aligned cyber coverages and common cyber-risk attributes.

Lloyd’s Director of Performance Management Tom Bolt says: “Cyber insurance is an important new area of coverage and it is essential that we have good quality standardised data to track exposures.”

“The cyber insurance industry is showing real innovation and demonstrates the ability of insurers to develop policies to cover modern, complex risks. Due to the growing importance of this risk class, quality standardised exposure data is critical for increased levels of insurance coverage and better risk modelling.”

Bolt says that models for cyber risk pale in comparison to other risk models, and that it’s time to catch up.

“Models for natural catastrophe risks are well developed in the reinsurance industry and the data requirements are relatively standardised,” Bolt says.

“But in comparison, models for cyber risks are still developing and need the industry to work collectively so that risk can accurately be calculated.”