Cyber and Breach of Privacy


A number of organisations hold personal information which belongs to clients, customers, suppliers and third parties. Under Australian law, personal information is defined as:

“Information or an opinion about an identified individual, or an individual who is reasonably identifiable:

1. Whether the information or opinion is true or not.
2. Whether the information or opinion is recorded in a material form or not.”

A number of different types of information are explicitly recognised as constituting personal information under the Privacy Act. For example, the following are all types of personal information:

  • Sensitive information (includes information or opinion about an individual’s racial or ethnic origin, political opinion, religious beliefs, sexual orientation or criminal record, provided the information or opinion otherwise meets the definition of personal information).
  • Health information (which is also ‘sensitive information’).
  • Credit information.
  • Employee record information (subject to exemptions).
  • Tax file number information.

This list is not exclusive.

If you hold personal information such as that outlined above, and that information is accessed by a hacker, there has been a notifiable data breach. This would then need to be notified to the Office of the Australian Information Commissioner and to the affected individuals. The cost of providing this notification can be high and it can  be an onerous task to notify individuals particularly when they are former clients you may have lost touch with.

Cyber insurance can be an important tool in managing this notification process. A Cyber Insurance for example can include Incident Response Expenses which includes costs:

1. To comply with consumer notification provisions of the Privacy Regulations in the applicable jurisdiction that most favours coverage for such expenses, but only to the extent that such compliance is required because of a Cyber Incident, including but not limited to:

  • Retaining the services of a notification or call centre support service.
  • Retaining the services of a law firm to determine the applicability of an actions necessary to comply with Privacy Regulations.

2. To retain a legal or regulatory advisor to handle and respond to any inquiries by any government agency, or functionally equivalent regulatory authority, alleging the violation of Privacy Regulations, including communicating with such government agency of functionally equivalent regulatory to determine the applicability and actions necessary to comply with Privacy Regulations.

Any client who holds personal information needs this kind of cover.

If you would like more information on any of the above, then please contact your account manager or reach out to us on (02) 9587 3500, or at





*Please note that the information contained is General Advice only.
General Advice is advice that has been prepared without considering your current objectives, financial situation or needs.
Before taking any action, you should consider whether the general advice contained in this communication is appropriate to you having regard to your current objectives, financial situation, circumstances or needs, and seek appropriate professional advice if you think you need it.