Plummer urges the financial services industry to take the data breach privacy act seriously in 2018


Julian Plummer

Julian Plummer, Managing Director of Kamino Cyber Security (and Midwinter Financial Services) has urged advisers, accountants and superannuation funds to ensure that the new Australian mandatory data breach notification laws are given top priority in their businesses coming into 2018.

The recently introduced laws, (which receive royal ascent in February 2018) specify that all businesses (with an annual turnover of $3 million or higher) will be required to notify individuals and the regulator (OAIC) when cyber security incidents compromise personal information.

Specifically, the Australian Data Notification Law states that:

  • Where a suspected unauthorised access occurs, the organisation must undertake an assessment of whether the incident is an “eligible data breach”.
  • As part of that assessment process, the organisation must decide whether the incident is “likely to result in serious harm” to any individuals.
  • If an “eligible data breach” has occurred then the organisation must provide notification of the incident to the Office of the Australian Information Commissioner (OAIC), and take steps to notify affected individuals.

Mr Plummer has expressed concern that the majority of SMBs in particular – planners (especially IFAs) and accountants haven’t spent enough time researching and preparing for these changes to the Australian Privacy Act.

“Data published by the Ponemon Institute has revealed that the average cost to an organisation for a data breach notification is $88,000 (taking into account necessary actions such as creating a new client database, legal costs for the notification, related communication costs associated with notifying clients etc.) The cost alone should be enough to convince you to take this seriously.”

Plummer stresses what this means for the financial services industry specifically “This means that if at any point, you experience a data breach – you will automatically be increasing the risk of loss of confidence in your business from a client’s point of view, as you are now obliged to tell them directly when and if a breach occurs.

“This is a result of increased digitisation into financial planning. Securing your data, will secure your business.”

He also advised on what advisers, accountants and superannuation funds can do in order to be prepared for the new legislation saying “First and foremost – research and understand the laws. Ensure you have an Incidence Response Plan in place to manage cyber security. Make sure your IT policies and procedures are up to date, that your staff are thoroughly versed in them and adhere to them. From then on, you can begin to plan and prepare your best line of defence.”

“It also may be a good time to review your cyber insurance policies. Cyber insurance offsets many of the costs of potential IT breaches, however we recommend doing adequate due diligence as one size does not fit all.”

You must be logged in to post or view comments.