If you get hacked, notifying customers – even with no legal obligation to do so – can assist in mitigating reputation damage.
That was a key message from the latest Emergence Insurance webinar for brokers.
Sparke Helmore Lawyers consultant Colin Pausey said reputation damage could be significantly greater if businesses did not inform customers whose information may be at risk. The cost involved is not burdensome and notifying customers can prevent further harm.
Emergence National Head of Sales Gerry Power agrees. Be honest and transparent if a hack occurs. Give your customers the ability to take preventive steps, he says.
Colin says a duty of care requires organisations to take reasonable care not to cause harm to others that can be reasonably foreseen. However, defining “reasonable care” depends on varied factors.
He suggests the Australian privacy principle 11 (APP 11) is a good starting point. It requires organisations to take reasonable steps to protect information they hold from misuse, interference and loss; and from unauthorised access, modification or disclosure.
“There’s no automatic liability, but you can mount a defence if you’ve taken reasonable steps, consistent with APP 11,” Colin said. “You can be negligent if your conduct falls below a standard that can reasonably be expected.”
While the notifiable data breach (NDB) scheme requires notification to the Office of the Australian Information Commissioner under certain circumstances for disclosure of personal information, organisations hold other vital client information that is not subject to the NDB scheme.
If a hack occurred, Colin advised organisations to conduct forensic investigations into their systems to ensure there was no exfiltration of data that may impact on customers’ businesses or cause them loss and to tell them what had happened and what measures were now in place to rectify the situation.
Andrew Miers, a Partner at HWL Ebsworth, told the webinar hackers were not always external. They could be trusted insiders, including contractors and employees.
His advice was:
- Don’t underestimate the impact of basic vulnerabilities
- Simple mitigation strategies (“basic cyber hygiene”) can avoid 85% of cyber incidents
- Don’t underestimate internal attacker threats
- Protect all information assets – corporate data as well as personal information you hold.
Colin says staff training is the most important mitigation step. Others include having up-to-date anti-virus software, data encryption, and strong passwords.
Gerry agrees, saying staff are the last line of defence. Analysis of claims within Emergence’s portfolio shows claims costs are three times higher than average for clients that have no written procedures for their staff. Claims costs are 25% higher than average for clients that don’t use data encryption. These inflated costs are due to a lack of employee education.
Emergence is a pioneer of cyber cover in Australia and provides protection for SMEs through to ASX-listed entities.
Emergence was judged the 2019 Insurance Business magazine Underwriting Agency of the Year and was a finalist in the same category at the 2019 ANZIIF-Asia Insurance Review awards.
To access the broker portal to obtain Emergence cyber quotations for your clients, email [email protected]
This blog is another cyber education initiative from Emergence.