The 2017 data breach of US credit reporting agency Equifax exposed the personal information, including names, birthdays and social security numbers, of nearly 150 million Americans. The information obtained could be used to steal an identity, having a lasting impact on the lives of those affected. The breach has been reported to have cost Equifax between US$400m and US$600m, with the cost potentially increasing as ongoing disputes are resolved.
In 2018, Marriott discovered that, when they acquired Starwood, they also acquired an advanced persistent threat actor that reportedly stole data from 500 million customers over a four-year period, including names, contact information, passport numbers and other personal information.
Here in Australia, there have been numerous events too, including the 2017 breach of nearly 50,000 Australians’ information from a private contractor that worked with federal government departments and several ASX-listed corporations.
Incidents like the above can have significant impacts on a business’ reputation and financial performance, however, the extent that Australian entities will be fiscally penalised in the event of a breach is not yet known. In February 2018, the Notifiable Data Breaches Scheme (the Scheme) was enacted in Australia, which puts in place an expectation that organisations are responsible for how they handle our data, and creates a system of trust and transparency that should something go wrong, we have a way of knowing about it and the potential harm that may be caused.
This article was first published in The Australian Corporate Lawyer, Winter 2019, Volume 29 – Issue 2, pg 24-25.