Australian companies face 'US levels' of litigation if they fail to prepare for mandatory data breach reporting requirements which are likely to come into effect this year, a lawyer has warned.
Speaking in Sydney, Adam Salter, a partner at law firm Jones Day's cybersecurity, privacy and data protection practice, said companies not adequately prepared are at greater risk of being sued by their corporate customers. Litigation would be initiated for breach of privacy obligations embedded in customer contracts and by consumer customers, he said.
Salter based his view on the firm's experience in other jurisdictions - such as the US and European Union - that have introduced mandatory data breach notification laws.
Mauricio Paez, a US-based partner at the Jones Day practice, said that since the introduction of mandatory data breach notification laws in the US, there have been several private class actions and strong government enforcement activities.
"Data breach notification has the positive effect of providing due warning to potentially affected individuals to enable them to take appropriate steps to guard against identity theft and other potential harms.
"Breach notification also means that cyber breaches could now be very public events that can result in private litigation, reputation and brand harm, and lead to governmental investigations, thereby increasing the legal risks to the reporting business," said Paez.
In 2014, large Australia daily deals website, Catch of the Day, failed to inform users of a data breach that occurred three years earlier. Encrypted passwords and user information stolen from the company's database. A small number of customers also had credit card data stolen.
At the time, Matthew McMillan, a partner at law firm Henry Davis York, said Catch of the Day's failure to alert users after such a long period of time, may have done the brand some harm.
Salter said Australian businesses should regularly review and strengthen their IT and data security systems, policies and procedures and prepare for how they would report a potential data breach to authorities and customers.
He said it was an important approach to mitigate the risk of litigation, especially given the emerging issues around cloud storage and offshore hosting of data.
"In particular, businesses should review, or if not already in place, develop risk management and compliance policies and procedures to both prevent data breaches and deal with them in the unfortunate but increasingly likely event that they occur," Salter said.
Sign up for Computerworld eNewsletters.