22nd February 2018 marks D-Day for the commencement of reforms to the Australian Privacy Act. And with it comes the real spectre of $1.8m in corporate fines and $340K in personal ones for any business that lose customer data. You can almost hear the hackers crack their knuckles as they sit at their keyboards to see who they can pick off first…
Businesses turning over more than $3m a year, those that collect personally identidfiable information from people and all Government organisations will be obligated to notify the Australian Information Commissioner and affected individuals if they suffer an eligible data breach. So that’s pretty much everyone then.
This covers a multitude of methods including hacking, theft by insiders and good old fashioned accidental loss. From our experience as penetration teaters, most corporate networks are seriously vulnerable and wide open to attack and exploit by anyone with a reasonable amount of hacking knowledge. Certainly to the professional hackers who make a living out of it. Organisations most at risk include those holding large amounts of personal information – and let’s face it, that’s most organisations these days. Especially retailers, banks, financial services companies, utilities, healthcare providers, transport providers, insurance companies, and every SaaS platform provider under the sun.
An eligible data breach will arise where there is unauthorised access to, or unauthorised disclosure or loss, of personal information held by an organisation and this is likely to result in serious harm to one or more individuals.
Serious harm may include serious physical, psychological, emotional, economic and financial harm, and serious harm to reputation.
The best response (to be honest, the ONLY response) is to prepare. NOW. Waiting until a breach happens and then scrambling to deal with it after the event is not smart.
Various factors come into play when considering whether ‘serious harm’ has or could occur, including: the kind, and sensitivity, of the information; whether the information is protected by security measures such as a password, and the vulnerability of such measures; the persons or kinds of persons who have obtained or could obtain the information; and the nature of the harm.
If an organisation suspects an eligible data breach, they have 30 days to assess whether there are reasonable grounds to believe it did from the moment they discover it.
Any eligible data breach may be avoided if an organisation has taken genuine mitigting action to ensure ‘serious harm’ does not occur to an individual.
Prevention is the best defence and companies should not wait to take mitigating actions. This means putting in place the administrative and technical controls which form the security measures required to protect personal information.
Preparing a data breach response plan is essential and that starts with an Incident Response Plan. This will help your organisation understand how it will detect, contain, eradicate and recover from a breach event. The plan should also address identifying the scope and effect of the breach (who has been affected, and how); what information has been accessed and stolen; what was the root cause or source; and whether serious harm has occurred.
Having a crisis communications plan for the event of a data breach may seem unnecessary now but in the event that it happens, handling the privacy commissioner is only part of the problem – it may mean notifying thousands of people and handling the press too. This is where reputations will be made or destroyed.
Monitoring your network passively using a range of software security tools and an outsourced security team watching 24/7 is the most proactive step you can take – for large companies this is the ideal solution. Creating separation of duties between your existing netrowk team and the expert security team is essential from a compliance perspective and the most effective way to ensure that things don’t get missed or covered up if an event does occur.
Training personnel regarding data breach and general security obligations, and the responsibilities each employee has in assisting the entity to comply is also an important process to undertake.
The most authoritative source on the Notifiable Data Breaches scheme is the Office of the Australian Information Commissioner and their overview is here: https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme
Cyber Research is helping numerous organisations to prepare and implement the right security controls to mitigate their vulnerabilities and ensure data breaches are a risk well managed. Contact us at [email protected] and make sure you can handle D-Day and every day after.