Cyber Incidents: What do the risks mean for your Pilates studio?

While cyber risks may not be front of mind for you in your day-to-day practice, it’s important to be aware of the cyber risks that exist. Especially in the health industry.

According to the Australian Digital Health Agency, personal health information in particular, is an attractive target to cyber criminals. Individual health data is considered to be more valuable than other types of data. What do these risks mean for your Pilates studio?

In this article, the PAA’s insurance partner, BMS, discusses common risks and trends associated with cyber incidents. Ashlee Sherman and Scott Shelly of law firm, Barry Nilsson, discuss your professional obligations as a Pilates professional, and how you could respond to a cyber incident.

Cyber risks

Imagine arriving at your studio one morning, only to discover you cannot access your online systems. You can no longer access your clients’ information, or information about upcoming appointments.

Suddenly you don’t have the information required to perform your work. How could this impact your clients? Your business? Your reputation?

If a cyber incident results in a security or privacy breach, it could cause client harm. This poses the risk of potential claims and/or complaints from current or previous clients who have been impacted.

Additional risks may include the following:

1. financial loss;
2. disruption to business operations; and or
3. potential damage to your reputation.

While it can be easy to think that as a small business you might be immune to cyber threats, anyone can be a target. The Annual Cyber Threat Report 2022–2023, developed by the Australian Signals Directorate (ASD) reported a 23 per cent increase in cybercrime reports in the last financial year for individuals. The ASD also responded to 1,100 cyber security incidents made by Australian critical infrastructure networks. These findings highlight the continuing cyber threats Australians and Australian businesses face.

Read the full report here.

What are your legal obligations?

When handling health information, Pilates providers in Australia are required to:

1. take reasonable steps to protect personal information (including health information) they hold from misuse, interference and loss, as well as unauthorised access, modification or disclosure;
2. take active measures to ensure the security of personal information they hold, and actively consider whether they are permitted to retain personal information;
3. advise clients why their health information is being collected as well as how the health information will be stored and protected;
4. advise clients if there are any other parties their health information may be disclosed to; and
5. maintain a privacy policy which includes a summary of how the Pilates provider handles health information.

 How can you respond to a cyber incident?

If a cyber incident occurs at your studio, you need to take action to minimise the risk of harm. In particular, this may include the following:

1. advising your client(s) that the confidentiality of their health information may have been compromised due to the cyber incident;
2. if the data was released to an incorrect recipient, requesting that the recipient deletes the information;
3. seeking expert IT assistance as well as legal advice if necessary; and
4. contacting the Australian Cyber Security Hotline for guidance.

You also need to consider whether the cyber incident qualifies as an eligible data breach pursuant to the NDB Scheme which requires a notification to be made to the Office of the Australian Information Commissioner (OAIC). More information is located at: Part 4: Notifiable Data Breach (NDB) Scheme | OAIC. Notifiable data breaches are generally those which are likely to cause serious harm which cannot be prevented with remedial action.

 How can BMS help?

BMS is the official insurance broker for the Pilates Association Australia. As a member, you have exclusive access to a range of insurance solutions, including cyber liability insurance.

Speak to a BMS broker to learn more on 1800 940 764 or via email, pilatesaa@bmsgroup.com

 This article is facilitated by BMS with information on professional obligations and how you could respond to a cyber incident, by Ashlee Sherman and Scott Shelly of Barry Nilsson. BMS discusses common risks and trends associated with cyber incidents.

*Barry Nilsson communications are intended to provide commentary and general information. They should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this communication.

You must be a current Pilates Association Australia (PAA) member to be eligible to register for the PAA Member Insurance program. You must be part of the PAA Member Insurance program in order to access additional cover. If your membership ceases you will not be offered renewal when your policy expires. In offering this insurance to our members PAA is a distributor of BMS Risk Solutions Pty Ltd (BMS) AFSL 461594, ABN 45161187980. Cyber Liability insurance is issued by BMS under binder with Certain Underwriters at Lloyds (the insurer). When acting under a binder BMS acts as agent for the insurer and not as your agent. This is general advice only and BMS has not considered whether it was suitable for your personal circumstances, current objectives, needs or financial situation. Please read the Policy Wording and the BMS Terms of Engagement which contains the Financial Services Guide before making a decision about purchasing this policy.