Data Breach Running: Avoid Possible Business Risks

Data Breach Running: Avoid Possible Business Risks
  • Taking about the mandatory breach notification scheme and understanding the new law. 
  • Targeted cyber attacks are getting popular day by day. What's the reason behind it?
  • Here are some key tips to help you out before it's too late.

The new mandatory breach notification scheme came into effect earlier this year in a move to protect the data of Australians and improve transparency. The new law means that any business that experiences a data breach, where they believe that serious harm may result, must now report it. Previously reporting was voluntary in Australia.

The new scheme ensures that organisations accept the very real threat of a data breach, and finally take accountability for how their data is stored. In fact, News Corp has reported that 31 companies were forced to report major data breaches in the first three weeks of the law coming into effect.

The scheme was long overdue, with many other countries already having a similar scheme in place. From a consumer perspective, it provides us with greater confidence about the privacy of our personal information, and also helps up to trust the brands we deal with.

Many businesses may think they are exempt - but it’s important for you to check. If you are an organisation with an annual turnover of $3 million or more, then there’s a good chance you’re included. Further, many business relationships are beginning to require evidence of a data security strategy before business can be commenced, making data security not simply a compliance requirement by increasingly a commercial requirement for businesses as well.  Find out now whether you are impacted, and make sure you are taking the necessary steps to ensure you’re not breaking the law.

Ignoring the scheme could backfire and it won’t be easy to recover

Not reporting a breach can have disastrous effects on both brand and reputation. You may also be fined a penalty of up to $1.8 million for companies and $360,000 for individuals.

The average total cost of a data breach is thought to be around $3.62 million[1] dollars - with costs associated to reputational damage, and retaining customers in the wake of a breach. If this was to happen to your business, is this something you could financially manage? If not, this could lead to your business getting into major financial difficulty and being at risk of becoming insolvent.

In 2011 Catch of the Day was targeted by an illegal cyberattack, which saw encrypted passwords and user information such as names, addresses and email details taken from its database. It took them three years to report a breach which raised many questions for customers and the wider industry - why wasn’t it reported sooner? Didn’t customers have a right to know that they were compromised? This is a great example of how a brand’s reputation can be impacted when a breach isn’t reported, with or without a formal regulation in place.

Cyber attacks are getting more targeted - are you ready?

The question is no longer if we are going to get hit, it’s when. Data is the new oil, with more businesses understanding the value of collecting and utilizing data to target their customers and improve their offering. Cybercriminals are getting smarter and more targeted with their attacks, impacting organisations across various industries. In 2016, PwC found 65 per cent of Australian organisations experienced cybercrime in the last 24 months with more than one in 10 reporting losses of more than $1 million (compared to the global average of 32 per cent).

What to do if a breach occurs

Data breaches are defined as those in which there is unauthorised access, disclosure or loss of personal information held by an entity, which is likely to result in serious harm to any of the individuals to whom the information relates.  

The mandatory data breach notification scheme requires organisations subject to the Privacy Act to promptly notify Australia's Privacy Commissioner of any potential breaches.

If you believe a data breach has occurred, then you must carry out a “reasonable and expeditious” assessment and notify any individual affected as well as the Privacy Commissioner. You need to take reasonable steps to complete the assessment within 30 days.

Steps you need to take before its too late

Businesses should ensure they have a data security strategy in place, or risk disastrous financial implications.

  • Produce a policy and procedures document that defines “serious harm” and what action needs to be taken in the event it occurs
  • Update security software
  • Define what a breach is within your organisation
  • Nominate someone to be responsible for identifying and dealing with any breaches
  • Review contracts with suppliers and service providers to ensure they have implemented data security measures
  • Have a draft notification in place so it is ready to send in the event action needs to be taken

If you haven’t already taken action - ask yourself, if you are caught out, would your organisation survive the blow?

Andrew Spring

Partner at

Andrew Spring has more than 17 years’ experience in corporate recovery and insolvency, gained through work in the UK, Europe and Australia. He has a wealth of experience in all facets of domestic and international business restructuring and insolvency. His specialist skills include independent business reviews, reconstruction and turnaround consulting, business sales and asset divestment, profitability reviews, cross-border insolvency, and all forms of corporate insolvency appointments.