From next year, any retailer with a turnover of more than $3 million holding customer data, will be required to report a successful cyber-attack, inform all affected individuals and make a public apology, or face civil penalties.
Looming new privacy and data regulations defined by the Australian Information Commissioner (OAIC) will require all businesses to report any data breach “that is likely to result” in serious harm to an individual.
From early next year, unless an exception applies, any retailer with turnover of more than $3 million holding customer data such as credit card details, will be required to not only report a successful cyber-attack to the Office of the Australian Information Commissioner (OAIC), but potentially inform all affected individuals and make a public apology. Retailers will have 30 days to declare the breach.
Failure to do so or repeated non- compliance could see civil penalties of up to $1.8 million imposed but also put retailers at risk of a further class action, according to global law firm Dentons. The new legislation comes into force in a little over four months.
The explosion in online shopping will now see retailers and consumer brands who hold customers’ personal and financial details are at particular risk of class actions, according to Dentons litigation partner Ben Allen.
“Until recently, consumers shopping online have often had limited or even no notification that their personal, credit card or other financial details may have been obtained by hackers,” says Allen.
In May, Target in the United States paid out US $18.5 million to the US government and was close to settling a class action taken by 200,000 consumers, after hackers accessed 40 million credit and debit card details held by the retailer.
Allen says aside from the major reputational damage major or multiple data hacks like the example above could cause, the financial cost also poses a sizeable burden. “The level of risk means data breaches are not simply ‘an issue for the IT department’ but rather one senior management and company directors must be across.”
According to Allen, executives and company directors should ensure they are immediately notified of any potential breach rather than half-way through or at the end of an investigation. Insurance should also be reviewed now to cover costs from loss of goodwill and reputational harm from a breach given these are often excluded, and most organisations have not yet put in place cyber risk policies.
In 2015/16, the Office of the Australian Information Commissioner received 107 voluntary data breach notifications, with retail and online services among the top five reporting sectors. Commonwealth government agencies, private sector and other entities are covered by the Privacy Amendment (Notifiable Data Breaches) legislation which comes into force from February 2018.