Is Your Business Set For The New Mandatory Data Breach Notification Laws?

New mandatory data breach notification laws take effect in Australia on 22 February 2018. This latest legislation seeks to protect consumers’ personal information, it requires that public agencies and private organisations, report all eligible data breaches to the affected individuals and the Privacy Commissioner. An eligible data breach occurs when there is unauthorised access to, exposure or loss of personal information held by an agency or organisation, which is likely to cause serious harm to those individuals. As yet, there is no definite measure of serious harm. However, we may consider serious harm to include physical, financial, and reputational damage, as well as adverse emotional or psychological impact.

This mandatory notification applies to all public and private entities that are governed by the existing Privacy Act, which includes organisations that have an annual turnover exceeding $3 million. Mandatory reporting also applies to those companies that make under $3 million and are in the business of handling personally identifiable information (PII) such as names, social security numbers, personal contact and credit information, as well as health and financial records. If an organisation is related to another that is governed by the Privacy Act, then that organisation is also subject to the mandatory data breach notification requirement.

Current State of Preparedness

Although the Privacy Amendment (Notifiable Data Breaches) Bill of 2016 had established the upcoming mandatory reporting requirement, there is some unpreparedness among organisations-especially small businesses. According to a recent survey, 44% of Australian businesses reported that they were not ready for the mandatory notification requirements. This may have resulted from a mistaken belief that small firms would not be subject to the new legislation. It may also be the case that information security has long been viewed as the domain of IT professionals, and so sufficient attention has not been directed to this aspect of business operations. However, given our growing digital economy with increasing cyber threats, it is becoming clear that the usual risk management framework must now also consider the mitigation of cyber risks.

The Process of Mandatory Data Breach Notification

If an organisation suspects that it may have been subject to unauthorised access, disclosure or loss of personal information, that may cause serious harm to any of its stakeholders, then it has 30 days to investigate and conclude whether or not an eligible data breach occurred. However it may not be prudent to wait an entire month before deciding on the eligibility of a data breach. The factors to consider when an organisation needs to determine if an eligible data breach has occurred include:

·      the type and sensitivity of the information in question;

·      whether or not steps were taken to protect the information (for example, data encryption)

·      how likely it is for the protection measure to be breached (such as the encryption being cracked) and the information revealed;

·      the scope of the potential serious harm to affected individuals; and

·      any other relevant factors.

In the case of an eligible data breach, the company must prepare a formal statement for the Privacy Commissioner and each of the affected parties. This statement must include details on the nature of the data breach, and the remedial actions to protect those adversely affected. In cases where it may not be possible to inform every affected individual, then the statement must be published on the company’s website. We recommend that legal counsel be obtained in the unfortunate event of a data breach, so that the organisation can be sure that all aspects of the mandatory notification requirement are met.

Non-Compliance Consequences

Failure to report eligible data breaches will be costly in several ways. The Privacy Commissioner is empowered to apply fines in cases of non-compliance with the mandatory notification requirement. Individuals (such as sole traders and general partners) may face fines of up to $360,000, while corporate organisations may have to pay fines up to $1.8 million.

However the consequences of non-compliance not only originate from the Privacy Commissioner. The Privacy Act enables an individual to make a representative complaint (on behalf of several affected parties) directly to the Privacy Commissioner. There is also the possibility of class actions being initiated in the wake of a data breach. Another pressing concern is the loss of consumer and investor trust. This goodwill is vital for a company’s success, and non-compliance may be perceived as a lack of trustworthiness, which may then have greater adverse effects on the organisation in question.

Compliance Matters

We recommend a two-pronged approach of both prevention and corrective measures to ensure full compliance with the new mandatory data breach notification law.

Prevention Measures

The mandatory notification requirement means that organisations need to establish robust information security systems, or review their existing systems in light of this new legislation. Information security covers all the cyber-safe policies and procedures governing the collection, storage and retrieval of personal data. However companies will need to do more than merely install commercial security software. The latest data-stealing malware are being delivered via email, which means that users at all levels of an organisation need to be trained to navigate and actively support the information security framework. Small businesses may need to outsource certain security needs to IT vendors. Therefore it is also important that all vendors are employing the latest cyber security innovations and are ready to quickly comply with any requests for updates and formal reports.

Corrective Measures

In the event of an eligible data breach, it is useful to have a set of templates and procedures on hand. It is vital to have a detailed incident response plan which includes an organisation’s breach assessment criteria, templates to notify affected parties and the Privacy Commissioner, and procedures to implement remedial measures. We recommend that any incident response plan be tested with all members of an organisation and external vendors, so that each person is aware of their role in responding to any possible data breaches. We further recommend that all organisations obtain legal counsel to ensure that all elements of the mandatory notification requirement are conducted appropriately.

The mandatory data breach notification law will definitely alter the way in which businesses operate within Australia. Other countries such as the USA, Germany, Canada and the UK already have such legislation in place, so successful adaptation to these new requirement have already proven possible. We urge all Australian organisations to become familiar with their new legal obligations, to access all of the available resources and services, for both information security and notification support.

Beware of Real Estate Hacking Attacks

Hacking attempts are not just a problem for large corporations. Unfortunately, cybercriminals are equal opportunists, a fact which has been corroborated by the recent real estate hacks. The Australian real estate industry is valued at approximately $14 billion, which makes it a tempting target for these criminals.

Consumer Affairs Victoria reported that a few of the state’s homebuyers were victimised in an email scam and they lost over $200,000. The buyers said that they received emails containing contracts of sale and trust account details for the payment of their deposits. This first email was then followed by another email, which instructed the hapless buyers that there was an error in the original email and that they should deposit their funds in an alternate account. These criminals hacked the real estate agents’ email accounts and used the second round of emails to divert the funds to their bank accounts.

Unfortunately a similar case of virtual fraud occurred in the real estate sector last May. The Real Estate Institute of New South Wales reported that a real estate agency’s online bank account was hacked and $757,000 was siphoned away in a series of transfers.

There are significant losses associated with such cyber hacks. Director of Consumer Affairs Victoria, Simon Cohen advises that persons who are purchasing their homes do their due diligence before making deposit payments. He recommends that buyers beware of emails that give different banking information. In fact, it is always best for buyers to call their real estate agents to verify all payment details before transferring any funds. Any individual or business that discovers that payment was made to an incorrect account should contact their respective financial institutions immediately. Furthermore, real estate agencies are encouraged to regularly review and secure all online systems to rebuff any hacking attacks. If you become a victim of cybercrime, we recommend that you make a formal report to the Australian Cybercrime Online Reporting Network.

We all operate in a globally connected world and we face increasing threats. Therefore it is prudent to adopt the best cybersecurity practices to protect ourselves and our assets.

What everybody really needs to know… about Cyber Security and Australian Banks

The recent Mandatory Breach Notification legislation has brought the issue of cybersecurity to the forefront of national dialogue. The Australian Prudential Regulation Authority (APRA) asked banks, insurers and superannuation funds to be aware of the risks of cyber attacks.

The Australian banking industry reported a cash profit of $31.5 billion for 2017 and a 6.4% growth rate relative to 2016. It is also important to take into account our nation’s $2.6 trillion superannuation pool, as well as the vast numbers of customers who conduct daily online banking activities. Understandably these facts render the industry, and its customers, as prime targets for cybercriminals.

APRA’s executive board member Geoff Summerhayes indicated that a major data breach at any Australian financial institution is “probably inevitable”, and could even adversely impact the longevity of that institution.  Unfortunately, a number of financial institutions have yet to fully consider how they would handle an online attack, which would be guaranteed to generate significant and costly risks.

According to Summerhayes, cybercrime is a growing and lucrative industry. In the face of the relatively slower adaptation of institutions to the reality of rapidly evolving cyber crime, virtual criminals are reaping huge benefits with very little prospect of being apprehended.

The APRA believes that cyber risk is a significant prudential threat to financial organisations. Large corporations that invest heavily in their own cybersecurity have a reduced risk of an attack resulting in sufficient damage to put them out of business.

However, APRA surveys showed that while there was an increasing awareness of cyber risks, improvements still need to be made. While some companies may have documented incident response policies to counter any possible virtual attack, these plans have not been tested and incorporated into their overall disaster recovery framework.

In light of these circumstances, the APRA has revealed its first prudential standard on information security, which will set the minimum requirements for the sector to manage cyber risks. Financial institutions will be required to conduct regular testing of their cyber defenses, implement strong detection systems, and delegate senior staff members to be in charge of cybersecurity. According to Summerhayes, these preventative measures will strengthen the banking sector, reduce the likelihood of successful virtual attacks, secure Australians’ confidential information and support national stability.

To Businesses Who Want to be Cyber Safe… but Don’t Know How to Get Started

Small and medium-sized businesses (SMB’s) are not exempt from cyber attacks. In fact, close to 60% of all breached organisations can be categorised in this segment. The recent Mandatory Data Breach Notification law now also means that there are hefty consequences for ignoring the protection of customer information.

This legislation requires that all eligible data breaches are reported to the affected individuals and the Australian Privacy Commissioner. Any failure to report an eligible breach can result in heavy fines levied against sole proprietorships ($420,000), partnerships and/or companies ($2.1 million). Therefore it is essential that SMB’s keep abreast with the latest developments and relevant statistics in the cybersecurity sector.

The issue for most businesses is though, that they don’t know where to start. The segment known as ‘cybersecurity’ is rather large and covers many areas. For SMB’s in particular, they often don’t have a designated person to look after this for them, unlike larger organisations, and they are left to wade through the many options available themselves, or turn to their dedicated IT person.

So where does a business start? To best answer that question, it is important to know the motives behind these attacks in order to be able to deter them. According to data published in the 2018 Data Breach Investigations Report (DBIR), approximately 76% of breaches are financially motivated, no real surprise there I hear you say.

The 2018 DBIR indicates that phishing is the most popular initial access method used by criminals, with roughly 92% of malware being delivered via email. Phishing is a form of social engineering where cybercriminals use emails to pose as legitimate persons or institutions to deceive others into revealing personal, confidential and financial information.

These emails in the past used to be a lot easier to pick up, often littered with spelling mistakes, poorly replicated logos, non-matching domains from the email sender and the like. This is now not as often the case and the criminals have upped their game. The emails are now a lot more sophisticated, are not as easy to spot and in many cases, now closely resemble the emails sent by legitimate organisations.

Now here’s the key takeaway from all of this. The Ponemon Institute’s 2017 report indicates that 54% of data breaches were due to negligent employees. Therefore the recommendation is that SMB’s should invest in training their personnel to detect and avoid phishing emails, and also run frequent controlled phishing campaigns to ensure compliance.

Ransomware is the top category of malicious software that is used in approximately 40% of malware-based attacks. This form of malware is popular because it is easily deployed through phishing emails, web-based instant messaging apps, drive-by downloads and malware-laden advertisements. Ransomware is also an effective means to illegally obtain large sums of money with a low risk of prosecution and imprisonment.

According to the Ponemon Institute’s 2017 report, close to 60% of small businesses have reported that cyber attacks are becoming more complex and destructive. Cybercriminals have become savvier by using techniques that circumvent standard security measures. In 2017 a staggering 77% of these attacks utilised fileless techniques. These techniques make use of system vulnerabilities (such as browser add-ons) to launch virtual attacks. These fileless attacks are ten times more likely to succeed, as anti-malware software only detects file-based malware.

Your IT person/department can look after the software and hardware eg. firewalls, antivirus, routers, etc, etc… but as you can see here, the ‘human firewall’ is most often, your last line of defence. So make that part as bulletproof as possible. And finally, the answer to the earlier question is… to train everybody within the organisation. Awareness training, phishing simulations and generally keeping this critical issue front of mind are key.

Before you go, get a demo of our next-gen security awareness platform and see how we can help reduce your client's human risk.
Thanks, Not Interested
Get a demo of our next-gen security awareness platform today. Please fill in the form below and a member of our team will be in touch shortly.
Get a demo of our next-gen security awareness platform today. Please fill in the form below and a member of our team will be in touch shortly.
Thanks, Not Interested
Get a demo of our next-gen security awareness platform today. Please fill in the form below and a member of our team will be in touch shortly.