Australian banks and insurers are concerned about a plan that would make it easier for those affected by data breaches to sue or seek financial compensation.
Premiums for cyber insurance and directors’ liability products in Australia could rise if consumers have clearer legal avenues to seek redress in the event of a data breach or cyber incident, insurers have warned.
The ability of consumers to “seek redress or compensation for cybersecurity incidents” is currently limited in Australia, but this could change if a “direct right of action” is introduced.
Home affairs says [pdf] in July that a “right” could be incorporated into consumer protection or privacy laws, and lead to the establishment of “standards” for payments to those affected by a violation.
But the proposal was greeted with concern by banking and insurance groups, concerned about the precedents it would set and the potential for liability that would discourage disclosure of incidents in the first place.
The Insurance Council of Australia warned that insurance premiums would rise if data breach victims had easier ways to prosecute attacked companies that hold their data.
“We urge the government to approach with caution any measure that would put upward pressure on (…) the lines of insurance, which have faced significant increases in claims costs, and therefore premiums, the latter years, ”wrote board CEO Andrew Hall. [pdf]
“[Home Affairs’ consultation] includes a proposed amendment to the Privacy Act. In the event of a cyber attack, the amendment would give those affected the legal right to sue companies that hold their personal information.
“This is likely to increase the associated risk for this business, introduce uncertainty into insurers’ risk assessments and increase claims costs.
“If implemented, these factors could increase the premiums for some insurance products, including D&O [directors and officers] insurance, across the Australian economy.
“The Insurance Council therefore strongly encourages the Home Office to consider the broader insurance implications of any cybersecurity change in Australian regulations. “
Hall said existing data breach disclosure obligations were satisfactory – without increasing the prospect of payments.
“These already have the effect of allowing consumers to ask questions, request additional information about a cyber attack and reassure themselves about the actions taken by an organization,” he wrote.
The Australian Banking Association is also concerned, saying the proposed remedies create “complex issues that cross multiple legal or regulatory regimes.”
He raised concerns about the threshold for prosecuting a company that is breached, as well as the extent to which “operational incidents” – system failures that are not caused by a threat actor – could also become targets of the breach. ‘compensation.
“If the threshold is negligence, consumers and entities would also benefit from advice on what can constitute negligence in the context of cybersecurity,” the association wrote. [pdf]
“Cyber attacks are inevitable, regardless of precautionary measures and continued investments in system resiliency, and the impact of cyber attacks will be different.
As such, ask yourself whether consumers should be required to establish a loss of their personal information or data, as well as financial losses associated with the loss (and how can this be done), or whether the threshold for bringing legal action must be evidence of a systemic failure to meet minimum cybersecurity standards and / or a breach of privacy that results in serious harm.
The ABA warned that linking liability to “regulatory reporting of cyber incidents … could have a chilling effect on early and proactive engagement with regulators and those affected or potentially affected.”
Like the Insurance Council of Australia, it was also concerned about the possibility of higher premiums.
“The [cyber insurance] market is recognized as being already “hardening”, “said the association.
“It can have an impact on the cost of doing business and on supply chains. “
Not everyone is against the idea of a clear compensatory remedy for customers impacted by data breaches.
Cyber security experts at the University of Queensland have suggested [pdf] that “clear and appropriate legal remedies for victims” might be welcome.
“Clear legal remedies are a much better idea, as if they were just generalizable without clarity, then you wait for a risk-taking complainant or a case to define what it is and not all disputes reach it. point, “UQ wrote.
“Having this clarity on what constitutes a violation will help minimize this risk and can provide better guidance to those in need.
“One problem in this space is that a consumer will not choose to go through a long lawsuit, and probably a class action lawsuit will be the most viable option, but generally people will agree on a small amount (eg $ 1000 to settle and avoid legal action.
“Australia is not much of a litigious society, but having legislation and a definition to help erase borders is better than nothing.”
UQ also added that “some type of small claims court for cybersecurity might be an option.”