Top firm warns Australian firms on lack of data breach program

The warning comes as mandatory data breach disclosure is likely to be implemented in Australia this year.

Australian companies need to craft and implement data breach programs and they need to do it now lest they face increased risk of aggressive litigation, Jones Day warned.

The warning comes as Australia is likely to require compulsory data breach reporting requirements this year.

"Based on our experience in other jurisdictions that have introduced mandatory data breach notification, such as the U.S. and the EU, companies that are not adequately prepared are at greater risk of being sued by their corporate customers (for breach of privacy obligations embedded in their customer contracts) and by consumer customers," said Adam Salter, partner in Jones Day’s Cybersecurity, Privacy and Data Protection practice.

Noting that the bill for data breach requirements currently before the Parliament has bi-partisan support, Salter said that businesses should be taking action now to ensure they are ready to comply with the law once it takes effect.

In the 2016 Cost of Data Breach Study: Australia by the Ponemon Institute, it was found that the average total cost of a data breach is $2.64 million while the average cost per lost or stolen record is $142.

Though it was found in the study sponsored by IBM that the average total cost of data breach decreased 6.6 percent and the per capita cost decreased 1.4 percent, the financial impact is still very substantial.

In the 2016 Cost of Data Breach Study: Global Analysis, it was revealed that the average total cost of a breach is $4 million, an increase of 29 percent since 2013. The per capita cost is $158, an increase of 15 percent since 2013.
These costs are likely to increase if companies face more aggressive litigation if they neglect to comply with new requirements such as mandatory disclosure of a breach, hence the warning from Jones Day.

Alastair MacGibbon, Australia's first Special Adviser to the Prime Minister on Cybersecurity, agreed with the global law firm’s advice.

"The Australian government recognizes that we must lead by example when it comes to detecting, deterring, and responding to cyber threats and risks. But we cannot do this in isolation. It is absolutely critical we partner with and have the support of businesses to drive and implement the initiatives we outlined in our Cyber Security Strategy," MacGibbon said.

"Strong cyber defenses have much wider-ranging implications than most people realize—it has huge benefits to our economy, improves social opportunities of connecting online, and boosts our national prosperity," he added.
Meanwhile, while data breach disclosure benefits potentially affected people from harm, it can also negatively impact companies, Mauricio Paez, a New York-based partner in Jones Day's Cybersecurity, Privacy & Data Protection practice, noted.

“Breach notification also means that cyber breaches could now be very public events that can result in private litigation and reputation and brand harm, and lead to governmental investigations, thereby increasing the legal risks to the reporting business,” Paez said.

The key steps for Australian businesses to be prepared are to regularly review and strengthen their IT and data security systems, policies, and procedures and prepare for how they would report a potential data breach to authorities and customers, Salter said.  

"In particular, businesses should review (or, if not already in place, develop) risk management and compliance policies and procedures to both prevent data breaches and deal with them, in the unfortunate but increasingly likely event that they occur," Salter explained.