Are fines imposed on SME’s for data breaches fair?
As from 23rd February 2018 legislation now requires that Australian businesses report data breaches.
I have heard that there have already been an average of 10 notifications a week but this figure was on social media and I have not been able to verify the number.
I appreciate that we all have a duty to protect the personal data of our customers and employees but I question whether fines imposed on any company that is breached is fair and reasonable.
Today the news is all abuzz about how Facebook was hacked. There have been reports of countless hacks of major international businesses and even sensitive government departments.
The issue is what is reasonable has been mulling around in my head for a while. It started last year, when LMI’s head of cyber security presented a board paper seeking an upgrade of our company’s security and seeking additional funding to cover the introduction of new software solutions. As we take cyber security very seriously all the recommendations were adopted and the capital expenditure approved.
A few weeks later I was meeting with a new client and in passing they advised that they had upgraded their security system and had spent exactly 50 times more than we had. Admittedly the client was an insurer with a much greater turnover, much larger customer data base and one would therefore think greater exposure. Having said this, the amount they had spent was greater than the gross profit of our organisation. As such it simply was not feasible for us to mirror their efforts.
Having said that, the same hacker could be targeting LMI as them and despite what to us was a significant expenditure I have to think we will be more vulnerable than the insurer.
I am also concerned about the number of SME’s that are using the services of cloud based services such as Zero and MYOB’s new accounting systems. Employee data can be held here and the question is who would be fined if there was a breach of the cloud provider?
The other point that I would make is that after attending a number of conferences and hearing a number of computer security experts who carry out penetration testing, I am of the firm opinion everyone has been hacked but they have so much data already collected they have not used it as yet. The infographic at the end of the post shows the number of reported breaches during the first half of 2016, If you compare this to 2017 first half figures of 1,901,866,611 reported data breaches, you can see the massive increase (343%) in just one year.
The point to keep in mind is that in some countries, including Australia, during this period did not have to report breaches and so the figures are not complete.
With this background, I question is levying a fine on an organisation that has taken reasonable steps within their budgetary constraints fair and reasonable. Or is it just another form of hidden taxation on SME’s?
The reality is that reporting of breaches is now mandatory and the penalties for not notifying a breach are correctly more serious. Therefore businesses that do suffer a breach need to report it immediately.
If fines will ensure then every business needs to rethink their attitude to cyber insurance and if they do not have the cover consider obtaining the protection and of course making sure that it provides cover for any fines or penalties.
While PolicyComparison.com does provide a detailed summary of the features and benefits of the majority of cyber policies available in Australia, it is my recommendation to any organisation looking for cyber insurance to obtain the advice of an insurance broker to obtain the right insurance protection for them.
This is a class of insurance that is changing rapidly and as with the cyber security itself it is not a set and forget issue. Both cyber security and the protection afforded by cyber insurance protection needs to be reviewed constantly, the later at least each renewal.