Speak Out June 2018

Notification requirements

> What steps the entity recommends that affected individuals should take in response to the eligible data breach. More information about what to include in an eligible data breach statement can be found: oaic.gov.au/privacy-law/privacy- act/notifiable-data-breaches-scheme/ what-to-include-in-an-eligible-data-breach- statement > What steps the entity recommends that affected individuals should take in response to the eligible data breach. More information about what to include in an eligible data breach statement can be found: oaic.gov.au/privacy-law/privacy- act/notifiable-data-breaches-scheme/ what-to-include-in-an-eligible-data-breach- statement Defence costs > Incurred in proceedings Defence costs > Incurred in proceedings brought by the Commissioner against you to enforce an enforceable undertaking given to the Commissioner (and, allegedly breached). > The policy would also cover any sums payable as compensation up to the sum insured to persons affected by the breach of the Undertaking, or to apply for an injunction brought by the Commissioner against you to enforce an enforceable undertaking given to the Commissioner (and, allegedly breached). > The policy would also cover any sums payable as compensation up to the sum insured to persons affected by the breach of the Undertaking, or to apply for an injunction as a result of an alleged contravention of the Act. as a result of an alleged contravention of the Act. Civil penalty orders The policy also covers sums payable by you of any civil penalty orders made against you as a result of, repeated or serious interferences with privacy, provided that such interference arises as a result of a cyber event. Civil p nalt orders The policy also covers sums payable by you of any civil penalty orders made against you as a result of, repeated or serious interferences with privacy, provided that such interference arises as a result of a cyber event. Third party liability The policy covers sums Third party liability The policy covers sums payable in respect of a claim for compensation by a third party as a result of a cyber event payable in respect of a claim for compensation by a third party as result of a cyber vent To obtain a cyber event protection quote, please contact your Guild Account Manager today on 1800 810 213 . To obtain a cyber event protection quote, please contact your Guild Account Manager today on 1800 810 213 .

soon as possible. This assessment must take place within 30 days of becoming aware of the eligible data breach. The contents of the notification (statement) must include: > Name and contact details of the entity > A description of the eligible data breach > The kind/s of information involved in the data breach soon as possible. This assessment must take place within 30 days of becoming aware of the eligible data breach. The contents of the notification (stat ment) must include: > Name and contact details of the entity > A description of the eligible data breach > The kind/s of information involved in the data breach External management costs > The (agreed) costs incurred by you in engaging external communication, public relations and crisis management professionals to: 1. Liaise with customers or the media following an eligible data breach; and 2. Prepare media releases or “cheat sheets” for personnel External mana ement costs > The (agreed) costs incurred by you in engaging external communication, public relations and cri is management professionals to: 1. Liaise with customers or the m di following an eligible data breach; and 2. Prepare media releases or “cheat sheets” for personnel to deal with customer inquiries after breach notification to deal with customer inquiries after breach notification Post notification response costs > (Re-)securing the data the Po t notification response costs > (Re-)securing the data the subject of the breach to prevent it from any further misuse, loss or interference subject of the breach to prevent it from any further misuse, loss or interference identifying those that were a subject of the breach if the cyber event resulted in the release of, for example, TFNs, bank details or other personally identifying information > Monitoring the credit and identifying those that were a subject of the breach if the cyber event resulted in the release of, for example, TFNs, bank details or other personally identifying information > Monitoring the credit and Impact on business costs Your business could suffer impacts, such as: > The cyber event and I t on business costs Your busin ss could suffer impacts, such as: > The cyber event and associated interruption, leads to a drop in revenue, or > Efforts to mitigate the impact result in increased costs associated interruption, leads to a drop in rev nue, or > Efforts to mitigate the impact result in increased costs

An APP entity that suspects an eligible data breach may have occurred must undertake a reasonable and expeditious assessment to determine if the data breach is likely to result in serious harm to any individual affected. Once an eligible data breach is determined, the APP entity must notify the Australian Information Commissioner, other relevant regulators (such as APRA) and affected individuals as An APP entity that suspects an eligible data breach may have occurred must undertake a reasonable and expeditious assessment to determine if the data breach is likely to result in serious harm to any individual affected. Once an eligible data breach is determined, the APP entity must notify the Australian Information Commissioner, other relevant regulators (such as APRA) and affected individuals as Notification requirements The solution: Guild Insurance – cyber event protection policy We understand the importance of protecting your business. The Guild cyber policy will respond to your requirements under the new NDB scheme by providing the following cover: The solution: Guild Insurance – cyber event protection policy We understand the importance of protecting your business. The Guild cyber policy will respond to your requirements under the new NDB scheme by providing the following cover: Notification costs The costs incurred by you for: > Preparing a statement to the OAIC > Notifying those individuals whose data or information has been wrongfully accessed or lost; and > Other associated costs necessitated by the notification, eg: external solicitors to draft the relevant notice (in line with the statement prepared for the Commissioner) > Advice when responding to enquiries by the Commissioner Note: costs incurred, including Notification costs The costs incurred by you for: Preparing a statement to the OAIC > Notifying those individuals whose data or information has been wrongfully accessed or lost; and > Other associated costs necessitated by the notification, eg: external solicitors to draft the relevant notice (in line with the statement prepared for the Commissioner) > Advice when responding to enquiries by the Commissioner Note: costs incurred, including retention and payment of external solicitors, require prior approval before any reimbursement can be made under the policy retention and payment of external solicitors, require prior approval before any reimbursement can be made under the policy

Better through experience.

1800 810 213 guildinsurance.com.au 1800 810 213 guildinsurance.com.au

Better through experience.

The Guild Insurance Cyber Event Protection product is underwritten by Emergence Insurance Pty Ltd ABN 46 133 037 153 AFSL 329 634. Emergence acts as an agent to issue policies on behalf of certain underwriters at Lloyd’s. Guild Insurance Limited has an arrangement with Emergence to distribute the Cyber Event Protection product issued by Emergence and branded Guild Insurance. For the Cyber Event Protection product Guild Insurance may be paid a commission if you purchase, vary or renew general insurance products we arrange for you. No commission is paid if you do not buy the recommended product. The commissions are calculated as a percentage of the base insurance premium (excluding any government taxes and charges). For more information contact Guild Insurance on 1800 810 213 . GLD4417 Notifiable Data Breach Scheme Information 02/2018. The Guild Insurance Cyber Event Protection product is underwritten by Emergence Insurance Pty Ltd ABN 46 133 037 153 AFSL 329 634. Emergence acts as an agent to issue policies on behalf of certain underwriters at Lloyd’s. Guild Insurance Limited has an arrangement with Emergence to distribute the Cyber Event Protection product issued by Emergence and branded Guild Insurance. For the Cyber Event Protection product Guild Insurance may be paid a commission if you purchase, vary or renew general insurance products we arrange for you. No commission is paid if you do not buy the recommended product. The commissions are calculated as a percentage of the base insurance premium (excluding any government taxes and charges). For more information contact Guild Insurance on 1800 810 213 . GLD4417 Notifiable Data Breach Scheme Information 02/2018.