News & Insights

Personal data leaks do happen!

Published 18 May 2018

Naturally Gallagher’s Head of Marketing & Communications, Australia & Asia, Steve White was intrigued to discover two of his Australian namesakes were recently involved in an involuntary identity merger. The Queenslander and New South Welshman share a birthday, a year apart.

Apart from the names and birthday the common link between the two men was their Telstra accounts. Queensland Steven was inadvertently given access to the NSW Steven's online Telstra account, which included personal information such as his phone number, address and details about his partner, while NSW Steve’s credit card was being deducted for the movies Queensland Steve was watching.

Puzzled, Queensland Steve contacted his NSW counterpart and between them they established their identities and personal information had been merged. The difficulty was convincing Telstra they were two different people! Both men contacted the telco and Queensland Steve has also written to the Telecommunications Industry Ombudsman, and NSW Steve intends to contact the Australian Information Commissioner. Both men are concerned their security has been compromised.

Telstra managers have apologised to the two Steves and the organisation is taking steps to rectify the identification error that led to the situation.

Gallagher cyber insurance specialist Danielle Nolan unpacks the requirements and implications of a personal data breach incident.

Know the regulatory obligations

Mandatory breach notification laws apply to organisations with a turnover of $3 million or more. The Privacy Act also applies to some businesses with turnover of less than $3 million so it’s important to check the requirements.

Eligible breach incidents apply to disclosure of personal information as well as unauthorised access to information where this could result in serious harm (physical, psychological, emotional, economic, financial or reputational harm).

Have a data breach response plan

An organisation’s ability to detect a data breach and take immediate action to remedy it is an important part of remediating the likelihood of harm occurring, whether the breach is inadvertently caused by the organisation or its staff, or the actions of a criminal.

A data breach response plan should cover:

  • containment
  • evaluation
  • notification
  • prevention.

Take preventative measures

“Twenty-seven per cent of of data breaches are caused by human error,” Nolan says.

Organisations should:

  • regularly audit all the data organisations collect on their clients and customers
  • have a cyber/privacy risk assessment which is reviewed and updated regularly
  • silo information so that it is accessible only to those who need to use it
  • have insurance with contingency cover for crisis/PR management as well as containment and rectification costs.

Get professional help

A comprehensive cyber insurance program needs to cover multiple risks, from financial loss to legal costs, and should be put together by a broker who understands both your operation and how a data breach could impact it.

Gallagher’s team of cyber insurance specialists has the knowledge, capacity and ability to identify and protect an organisation’s risk exposures. Call 1800 240 432 or visit for obligation free advice.

Talk to a cyber specialist todaychevron-right

Top Underwriting Concerns for Cyber Insurance Renewals
Cyber | Webinar

Top Underwriting Concerns for Cyber Insurance Renewals

23 September 2021
DeepFake Technology: The Frightening Evolution of Social Engineering Schemes
Cyber | Webinar

DeepFake Technology: The Frightening Evolution of Social Engineering Schemes

23 September 2021
Global Cyber Market Update Mid-Year 2021
Cyber | Report

Global Cyber Market Update Mid-Year 2021

23 August 2021