Skip to content
Optus and Medibank Data Breaches: Reducing Liability and Improving Data Security
Data breach liability
How the Optus and Medibank Data Breaches Have Impacted Business Liability and Data Security

Date

The 2022 Optus and Medibank data breaches have significantly influenced the way businesses handle liability for data breaches in their

How the Optus and Medibank Data Breaches Have Impacted Business Liability and Data Security

The 2022 Optus and Medibank data breaches have significantly influenced the way businesses handle liability for data breaches in their contracts. These incidents have highlighted the immense scope, far-reaching consequences, and substantial financial costs resulting from a data breach. A crucial factor in these events is often human error, as data breaches frequently transpire when an employee mistakenly grants access to hackers or shares sensitive information with unauthorized parties.

The Shift in Business Attitudes Towards Data Security

Before the Optus and Medibank data breaches, many companies had a more lenient attitude towards data security. Liability limitation clauses in most service contracts were generally favourable to the party entrusting their data, reducing the possibility of litigation following a breach.

In light of these incidents, the risks related to insufficient data protection, particularly those involving human error, have become more evident. This has led businesses to prioritise customer data protection. Liability for Data Breach provisions are now more comprehensive, and companies are less willing to accept extensive liability in case of a breach due to potential financial impacts and legal expenses linked to defending claims.

Increasingly over the last year we have been involved in contract negotiations that have become tense and stalled on the issue of liability for data breaches. Parties who will be entrusted with the data are often unwilling to accept any liability for a data breach, even where they would be clearly at fault. Were a entrusting party fall victim to such a breach, they would have a much more difficult time being compensated by the entrusted party, most likely leading to costly and acrimonious litigation.

Addressing Human Error and Ensuring Accountability

When we have been witness to data breaches by our clients (which is thankfully rare), it has usually been caused on some level by human error. Even the Optus breach was due to human failure to lock access to their API. To tackle the issue of human error and guarantee that any party responsible for data is held accountable for a breach, businesses should consider the following measures:

  1. Review and negotiate contracts: Ensure that Liability for Data Breach provisions clearly define the responsibilities and liabilities of all parties involved. Distribute risks and responsibilities fairly so that the accountable party can be held responsible.
  2. Enhance employee training: Create comprehensive training programs that teach employees about data security best practices, human error risks, and recognizing and avoiding social engineering attacks and phishing attempts.
  3. Implement strict access controls: Restrict access to sensitive data based on necessity, and establish robust authentication methods, such as multi-factor authentication, to decrease the chances of unauthorized access due to human error.
  4. Evaluate third-party providers: Perform thorough due diligence when selecting third-party service providers, and incorporate detailed provisions in contracts to guarantee adherence to data security measures. Monitor their compliance and hold them responsible for breaches caused by their negligence.
  5. Promote a security-aware culture: Encourage a culture of responsibility and alertness within the organization. Facilitate open communication about potential risks and provide a secure environment for employees to report suspicious activities or security concerns.
  6. Update security policies regularly: Continually assess and revise security policies and procedures to ensure their effectiveness in addressing the evolving cyber threat landscape, especially regarding human error.
  7. Establish incident response plans: Develop and maintain a robust incident response plan outlining how to manage data breaches, including those caused by human error. Test and update the plan regularly to guarantee its effectiveness.
  8. Consider cyber insurance: Look into obtaining cyber insurance to alleviate financial risks and cover expenses related to a data breach, including legal fees, notification costs, and public relations efforts.

The Benefits of a Proactive Approach to Data Security

While there is no foolproof solution to eliminate all risks, and responsibility for data security cannot be entirely outsourced, taking these steps can help businesses better protect their customers’ data and ensure that any party entrusted with data is held accountable for a breach, even when human error is involved. This proactive approach not only shields businesses from potential legal and financial repercussions but also fosters trust and maintains customer confidence

To learn more about data breach liability and enhancing your organization’s data security, explore the following resources:

Additional Resources for Data Breach Liability and Security

Cybersecurity Best Practices: Visit the Australian Cyber-Security Center website for guidelines and best practices on enhancing cybersecurity measures for businesses.

https://www.cyber.gov.au/resources-business-and-government

Cyber Insurance: Learn about the benefits and considerations of purchasing cyber insurance for your business from this ZDNet article.

https://www.zdnet.com/article/what-is-cyber-insurance-everything-you-need-to-know-about-what-it-covers-and-how-it-works/

Incident Response Plan Guidelines: Consult OIAC guidance on developing and maintaining an effective incident response plan to better protect your organization from data breaches.

https://www.oaic.gov.au/about-the-OAIC/our-corporate-information/plans-policies-and-procedures/data-breach-response-plan

If you need help drafting or negotiating a contract where sensitive or personal data will be exchange, book in with us here: Home

More
articles