Privacy reforms are radically expanding what counts as a “privacy breach” and who can be held to account, meaning brokers now need to ensure clients have coordinated first‑party and third‑party cover that keeps pace with new statutory torts and tougher enforcement. The real exposure isn’t just fines and investigations, but gaps between management liability and cyber policies where director liability, regulatory probes and serious invasions of privacy could all collide after a single incident. For brokers, this shifts the job from selling cyber as a standalone product to acting as strategic risk advisers on data governance, AI‑driven decision making and data minimisation, so clients can both demonstrate compliance and withstand the next serious breach.
The recent changes to the Privacy Act and the introduction of new enforcement tools are reshaping how privacy risk shows up on a client’s balance sheet. For insurance brokers, the message from the market is clear: stop thinking about “cyber” in isolation and start designing programs that recognise how privacy claims can now cut across multiple policy lines.
As Louise Lumley (main picture), executive assurance underwriting manager at Arch Insurance, puts it: “I would advise brokers to take a holistic approach, ensuring clients have cover for both first- and third-party privacy risks.” That means not just the immediate costs of investigation, notification and crisis response, but also the civil liability exposures that may emerge months or years after a breach.
Brokers are being urged to review how cyber, management liability and professional indemnity policies interact in the context of privacy events. Overlaps and inconsistencies between wordings can create confusion at claim time, while gaps between policies can leave significant portions of loss uninsured. As Lumley noted, cover should be structured with as little unnecessary duplication as possible, to minimise both complexity and the risk that individual components of a multi-faceted privacy claim fall through the cracks.
One of the most closely watched elements of the reform package is the new statutory tort of serious invasion of privacy. Its arrival has prompted questions about how existing policies respond and whether clients now need entirely new products.
Lumley said that, given the breadth of coverage under many management liability and professional indemnity policies, these forms already respond to a wide range of privacy-related exposures, including those linked to the new tort and more assertive OAIC enforcement activity. The precise response will depend on the wording, but brokers should not assume that every aspect of the new regime falls outside traditional lines of cover.
Crucially, Lumley stresses that the new cause of action is not triggered by every minor misstep. “It is worth noting that the tort requires a reckless or intentional invasion to be made, which is a high threshold to meet. Moreover, the invasion of privacy itself must be serious in nature.” That distinction matters for brokers when talking to boards that may be bracing for a flood of claims. The more likely scenario for many organisations remains regulatory investigation, class actions and reputational fallout following data breaches – exposures that must be mapped carefully across the client’s existing insurance program.
The reforms also sharpen expectations around technical and organisational measures to protect personal information. This is where insurance advice increasingly intersects with operational risk and governance.
Lumley recommends that brokers push clients to treat data lifecycle governance as a frontline risk control, not a back-office chore. That starts with robust data management and deletion frameworks, regularly reviewed and, critically, embedded into staff behaviour. Reducing the volume of stored information is one of the most effective ways to cut the impact of a breach: if data is not retained, it cannot be exfiltrated, misused or exposed.
Emerging technologies add another layer of complexity. Automated decision-making and AI-driven tools are rapidly spreading through business processes, often without a clear line of sight at board level. “Insureds may discover that AI impacts more systems than they would have expected,” Lumley warns. For brokers, this creates an imperative to probe how and where clients are using AI, what personal information is feeding those systems, and whether the required disclosures and governance structures are in place.
In practice, that means conversations that go well beyond limits and deductibles. Brokers must help clients document their technical and organisational measures, identify where automated decisions could trigger privacy complaints or regulatory scrutiny, and ensure those exposures are contemplated in policy design.
The upshot is that Australia’s new privacy regime is turning privacy risk into a truly enterprise-wide issue. Brokers who can connect the dots – between cyber incidents, governance failures, AI adoption and a tightening enforcement backdrop – will be best placed to keep clients out of trouble and to make sure that when things do go wrong, the insurance program responds as intended.
