The COVID-19 outbreak poses an array of cyber security challenges for lenders in Australia. The ACCC's cyber monitor, ScamWatch, has reported a significant increase in cyber security incidents since the global pandemic evolved, with over 2,000 reported scams relating to COVID-19 to date. This is of particular concern for the financial services industry, which was already the second highest reporting sector for data breaches, with 64% of all notifiable data breaches consisting of malicious or criminal attacks.
While lenders juggle to meet the various unprecedented and pressing demands, it is important for lenders to continue to remain vigilant in monitoring its compliance with data-security and privacy obligations in the face of a heightened risk environment.
This article serves as a timely reminder of the steps that a lender should take to ensure that it is well placed to respond quickly and efficiently to a cyber incident, and the steps that a lender should take if it believes that its systems or data have been compromised.
It is prudent to review, and to ensure that the relevant staff members are familiar with your data breach response plan, including undertaking the following:
- have your crisis management team ready for immediate mobilisation and response – a team of multi-disciplinary specialists (including, as appropriate, IT, legal, risk and compliance, PR/communications, corporate affairs and HR) which is known in advance and has full authority to act without permission; and
- ensure that you have a robust data breach response plan (or review your existing plan) which should be capable of being implemented immediately. The plan should set out:
- your strategy for containing, assessing and managing a data breach from start to finish – with clear reporting lines, escalation paths and criteria for when to mobilise the crisis management team;
- your strategy for dealing with the communication of the data breach internally and externally – including to affected individuals, the OAIC and other regulators that may be relevant to your business;
- the roles and responsibilities of staff members; and
- processes for dealing with a data breach involving another entity, such as your IT supplier.
Consider having data-breach drills the same way that you would have fire drills to test your data breach response plan and to ensure that staff members are aware of their roles in order to respond promptly to cyber incidents.
We may have been hacked – what now?
In practical terms, your response may include taking some or all of the following steps:
- get the facts of the data breach – don't just rely on assumptions;
- carefully manage communications to internal and external stakeholders – including setting the correct narrative for the data breach and your response from the outset;
- build a stakeholder map, and consider the legal relationship you have with each stakeholder so as to ultimately guide you to a prioritised work plan for responding to the incident;
- seek the protection that can be gained through legal professional privilege by engaging with your internal or external legal advisers – otherwise sensitive internal communications and documents about the breach (including forensics reports) could be exposed to regulators or those pursuing civil damages claims against you;
- determine your notification obligations at law – to affected individuals, to the Office of the Australian Information Commissioner (OAIC) and to any other regulators relevant to your business – see below for further details; and
- consider your contracts that may be impacted by the cyber incident, including rights and obligations that may be triggered.
Obligations at law
Lenders with an annual turnover of $3 million or more have obligations under the Privacy Act 1988 (Cth) to report certain data breaches (known as "eligible data breaches").
If you do become aware of a cyber-incident, including one that could result in a data breach, it is important to act methodically and quickly to assess the incident, mitigate the impacts of the incident and, if appropriate, report the breach. If a suspected data breach occurs, you should take the following steps:
- Commence an assessment
You must undertake a reasonable and expeditious assessment (and, in any event, within 30 days of the suspected data breach occurring) to determine whether there are reasonable grounds to believe that an "eligible data breach" has occurred.
- Determine whether an "eligible data breach" has occurred
An "eligible data breach" occurs if:
- there is unauthorised access to, or disclosure of, information, or information is lost in circumstances where such unauthorised access or disclosure is likely to occur;
- a reasonable person would conclude that access or disclosure would be likely to result in "serious harm" to any of the individuals to whom that information relates; and
- you have not been able to prevent the likely risk of serious harm with remedial action.
The key test for notification is whether the actual or suspected data breach is "likely to result in serious harm" to individuals. You should have regard to the following, among other relevant matters, when assessing whether individuals are likely to suffer "serious harm":
- the kind and sensitivity of the information involved in the breach;
- whether the information is protected by security measures(s) and the likelihood of overcoming that protection;
- the persons, or kinds of persons who have obtained, or could obtain, the information;
- if a security technology or methodology was used to make the information unintelligible or meaningless – the information or knowledge that would be required to circumvent the technology or methodology; and
- the nature of the harm – whether that harm be physical, psychological, emotional, reputational, economic or financial.
It is not just the likelihood of the harm occurring, but also the anticipated consequences for individuals if the harm was to materialise (e.g. risk of identity theft).
- you become aware a USB drive containing customer credit card numbers and expiry dates is misplaced within your offices. The information is encrypted to industry standards and the USB drive is located within an hour. On that basis, it is unlikely that someone could have circumvented the encryption technology within that time and unless there are other escalating factors, this is unlikely to be an eligible data breach; and
- you become aware that the one of your employee's smart phones has been left on the bus. The phone allows access to a spreadsheet you maintain (for internal reference) which analyses customers' tendency to pay their credit cards on time. The spreadsheet is not password protected or otherwise encrypted and the employee did not allow your organisation the ability to remotely-wipe data from their phone. This is likely to be an eligible data breach.
As the notifiable data breaches scheme is relatively new, the meaning of "serious harm" is still somewhat nebulous. From a reputational perspective, it is often best to err on the side of caution and to make the required notifications if there is doubt as to whether the threshold of "serious harm" has been reached.
- Notify the OAIC, APRA and/or affected customers
If you have reasonable grounds to believe that an "eligible data breach" has occurred, you must as soon as practicable:
- prepare a statement setting out:
- your contact details;
- a description of the data breach;
- the kinds of information concerned; and
- the steps you recommend individuals take to mitigate the harm that may arise from the data breach;
- give a copy of the statement to the OAIC; and
- take such steps as are reasonable in the circumstances to notify affected individuals of the contents of the statement. This generally involves contacting the affected individuals by their preferred contact method (e.g. by mail / email). Where this is not practical (such as where the information relates to old customers for whom you no longer have current contact details), you should include a copy of the statement prepared for the OAIC on your company website and take reasonable steps to publicise the contents of that statement for other affected individuals to refer to.
If you are an Australian Prudential Regulation Authority (APRA)-regulated entity, and the breach has, or has the potential to materially affect you, the interests of your depositors, policyholders, beneficiaries or other customers, then there is an additional obligation to notify APRA as soon as possible (and within 72 hours after becoming aware of the breach). This means that you may need to notify APRA notwithstanding that the assessment as described in step 1 above is not yet complete.
A failure to notify an "eligible data breach" is considered an interference with the privacy of an individual affected by the breach. Serious or repeated interference's with the privacy of an individual can give rise to civil penalties of up to $2.1 million. Please note that if the EU General Data Protection Regulation (GDPR) applies to you, you may be subject to additional penalties under GDPR.
Lenders must be vigilant of this heightened risk environment. Despite the extraordinary environment in which we find ourselves, data security and privacy obligations continue to apply.
Now is the time for lenders to prepare methodically – by assessing and, where appropriate, increasing cyber-security measures they have in place, maintaining clear and regular lines of communication with personnel, suppliers and customers, and reviewing, testing and updating their business continuity and data breach response plans – so that they are well placed to act rapidly and effectively to external threats and to minimise the impact of any successful attacks.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.