Mandatory Notification: Understanding Your Obligations After a Cyber Attack

What does “mandatory notification” mean within the context of a cyber attack?

Mandatory notification refers to a legal obligation to notify individuals in the event that their personal data may have been compromised as a result of a cyber attack.

Mandatory notification is distinct from:

  • Reporting a cyber attack to ASIC, APRA or other regulatorsas part of a company’s existing legal and compliance obligations
  • The voluntary reporting of cyber crime incidents, which may be in breach of Australian law to the Australian Cybercrime Online Reporting Network (ACORN)

What are the current requirements in Australia regarding mandatory notification?

Under current legislation, Australia does not impose a “mandatory” obligation on organisations to notify affected parties (such as employees, customers or clients) that a cyber attack has resulted in a security breach or privacy breach which may have compromised their personally identifiable information (PII). However, existing privacy obligations, designed to protect personal information from misuse or loss, means that any cyber attack compromising personal information could result in the involvement of multiple regulators.

Proposed scheme for mandatory data breach notification

In response to the Federal Parliament’s Joint Committee on Intelligence and Security’s inquiry into the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, a mandatory data breach notification scheme was proposed in March 2015 for implementation by the end of 2015. Although aimed at the telecommunications industry, it appears that such a mandatory data breach notification requirement would also apply to other organisations subject to federal privacy laws.

Domestic and foreign mandatory notification considerations

Following a cyber attack, a crisis management team is usually formed to assist the organisation in determining its obligations to notify affected individuals that their personally identifiable information may have been compromised. The scope of this obligation extends beyond Australia’s borders. The organisation may have global exposures, or its data may be lodged in a cloud outside of Australia. Mandatory notification obligations of both domestic (Australian) and foreign jurisdictions must be considered.  Currently, mandatory notification is required in the United States of America while, closer to home, it is also required in Taiwan, the Philippines and South Korea.

Financial impact of mandatory notification

If it is determined that notification is required (either voluntarily or in accordance with mandatory notification obligations), then costs will be incurred to make those notifications. This may include the costs of notifying affected customers, the costs of setting up a call centre to respond to inquiries or costs associated with good will gestures, as many organisations will accompany their notification to affected individuals with the offer of credit monitoring services.

Related articles

Marsh Pty Ltd (ABN 86 004 651 512, AFSL 238983) (“Marsh”) arrange this insurance and is not the insurer. The Discretionary Trust Arrangement is issued by the Trustee, JLT Group Services Pty Ltd (ABN 26 004 485 214, AFSL 417964) (“JGS”). JGS is part of the Marsh group of companies. Any advice in relation to the Discretionary Trust Arrangement is provided by JLT Risk Solutions Pty Ltd (ABN 69 009 098 864, AFSL 226827) which is a related entity of Marsh. The cover provided by the Discretionary Trust Arrangement is subject to the Trustee’s discretion and/or the relevant policy terms, conditions and exclusions. This website contains general information, does not take into account your individual objectives, financial situation or needs and may not suit your personal circumstances. For full details of the terms, conditions and limitations of the covers and before making any decision about whether to acquire a product, refer to the specific policy wordings and/or Product Disclosure Statements available from JLT Risk Solutions on request. Full information can be found in the JLT Risk Solutions Financial Services Guide.”