Does the Equifax Inc breach have implications for Australian companies?

  • While the size of the Equifax data breach far exceeds what could occur in Australia it provides some salutary lessons in what not to do.
  • The breach highlights the damage that can occur when there are delays once the breach has been detected.
  • Companies need to prepare their data breach response plans, including their processes for investigating and documenting their investigations into breaches.

Row of illustrated padlocks, one in red

As Australian businesses prepare for the amendments to the Privacy Act 1988 that will introduce mandatory data breach notification, the recent Equifax breach in the US provides some important lessons. Those lessons cover all aspects of privacy and data compliance, from governance and internal structures to breach response and planning. 

On 9 November 2017 Equifax filed their third quarter results with the US Securities and Exchange Commission, reporting that the data breach (which affected approximately 145.5 million American citizens and included records of their banking details and social security numbers) cost Equifax in the order of $87.5 million dollars before the end of September. Given that the Equifax breach contained such a significant number of records (about 50 per cent of the American population) and due to the nature of the entity (being a credit-reporting agency), it is unlikely that an event of that scale would occur in Australia. Despite this, even if a breach were one-tenth of the size and the costs one-tenth, it would still cost an entity over $8 million dollars, which far exceeds the cost of any regulatory fines or undertakings.

This article is exclusive to Governance Institute members and subscribers.

To read the full article…

or Become a member