As Australian businesses prepare for the amendments to the Privacy Act 1988 that will introduce mandatory data breach notification, the recent Equifax breach in the US provides some important lessons. Those lessons cover all aspects of privacy and data compliance, from governance and internal structures to breach response and planning.
On 9 November 2017 Equifax filed their third quarter results with the US Securities and Exchange Commission, reporting that the data breach (which affected approximately 145.5 million American citizens and included records of their banking details and social security numbers) cost Equifax in the order of $87.5 million dollars before the end of September. Given that the Equifax breach contained such a significant number of records (about 50 per cent of the American population) and due to the nature of the entity (being a credit-reporting agency), it is unlikely that an event of that scale would occur in Australia. Despite this, even if a breach were one-tenth of the size and the costs one-tenth, it would still cost an entity over $8 million dollars, which far exceeds the cost of any regulatory fines or undertakings.