Since the COVID-19 lockdowns sent millions of Australian office workers home, the risk and occurrence of data breaches has skyrocketed. Some organisations have responded to the heightened risk better than others. In some cases, increased vigilance has improved information security measures. However, the net effect is likely to be a marked increase in the number of data breaches (including those which must be notified).
There are several factors behind this. Firstly, many organisations were completely unprepared for a situation requiring their employees to take their work home with them. In the mad rush to enable this, information security took a back seat. IT support departments found themselves under extreme pressure and often took shortcuts to increase throughput while responding to the slew of support tickets from those working remotely for the first time. Many organisations by default allowed the use of personal devices for work purposes, resulting in personal information being saved on unsecured storage disks and sensitive communications being transmitted over poorly configured home Wi-Fi. This was the perfect storm for a significant uptick in 'human error'-induced data breaches.
At the same time, the coronavirus crisis has given cyber criminals a special opportunity to exploit systems using a range of techniques, including those involving social engineering, phishing and spoofing. A flurry of COVID-19-related communications within and between organisations and government authorities blew open the door for malicious actors to propagate malware, harvest personal information and intercept private/confidential messages.
Unfortunately, the retail and hospitality sector has been found largely unprepared to respond to new and changing requirements for contact tracing. Frontline workers were given limited (if any) support in establishing good practices for the collection of personal information, inadvertently generating treasure troves of customer contact details – which are irresistible 'honey pots' to hackers who are able to sell such information for telemarketing and lead generation (and, not to mention, more nefarious purposes on the dark web).
Against this extreme backdrop is highlighted both the: (i) ongoing necessity of preparedness for data breaches; and (ii) the lack of such preparedness in most of corporate Australia.
What does the law require?
In short, the Privacy Act 1988 (Cth) (Privacy Act) includes the notifiable data breaches regime. This regime legally requires that, where personal information is accessed or disclosed without authorisation or is lost (i.e. a data breach occurs) and such is likely to cause 'serious harm', the data breach is notified to all affected individuals and the Office of the Australian Information Commissioner (OAIC).
Putting the law aside, why is notification of data breaches necessary anyway?
The policy rationale for notification of certain data breaches is, quite simply, to protect individuals – including your customers. If you are holding their personal information, you are responsible for it. When a data breach occurs, you have lost control of it and the individual needs to know so they can take action to protect themselves if necessary. Given the regulator also has a role in protecting individuals' personal information, it is necessary to notify them too so they can support both your organisation and the individual in taking appropriate action.
Failure to notify in the event of a certain type of data breach can put individuals in harm's way. It undermines those individuals' trust in your organisation. Getting data breach notification right is important for your organisation's reputation, maintaining the trust of your stakeholders and your social licence to collect and hold personal information.
Don't be unprepared
Responding to a data breach (or suspected data breach) is always stressful. Organisations that are not prepared often find themselves desperately trying to get time with IT to get to the bottom of what has gone wrong and with management for direction, making panicked phone calls to external legal advisers and, in many cases, pulling the plug on critical IT systems in a last-ditch attempt to mitigate further damage.
In many cases, such drastic action is unnecessary, can be damaging and can be avoided where your organisation has already:
- identified the most likely categories of data breach for its industry sector and specific circumstances;
- allocated roles and responsibilities to key decision-makers within the organisation;
- devised a step-by-step plan for immediate steps in response to a suspected data breach;
- identified the pieces of information required to investigate a suspected data breach and where to find and from whom to ask for that information;
- planned a step-by-step process for assessing when a data breach needs to be notified; and
- drafted template communications to notify, if appropriate, relevant parties of the occurrence of a data breach.
All these aspects, which allow for calm and methodical—as opposed to a chaotic and manic—data breach response are included in a Data Breach Response Plan (DBRP).
How do I ensure my organisation is prepared?
Being prepared is simple: put in the work beforehand so you don't find yourself panicking in the moment. The single most important step to ensure your organisation is prepared for your next data breach is to prepare a DBRP.
An effective DBRP can:
- protect your customers;
- protect your reputation;
- provide comfort in an often chaotic and crazy time;
- pre-assess (subject to re-assessment when the time comes) certain types of data breaches; and
- guide the organisation through what is often an intense and scary time.
Also, drilling or testing the DBRP via an exercise involving those allocated roles in the DBRP is a great way to ensure your DBRP is right for you and build 'muscle memory'.
What needs to be covered in my DBRP?
A good DBRP is helpful on a number of levels: it should provide high-level 'just the basics' information bespoke to your organisation to give every staff member and relevant contractors an understanding of the core concepts. However, it should also provide enough detail so that individuals with responsibilities related to data breach response can find most of the answers within the one document.
While the content of DBRPs differs (and should differ) between organisations and, for larger organisations, between different divisions, at a minimum a DBRP must address:
- the purpose and scope of the document;
- what 'personal information' is and the types of personal information handled by your organisation;
- what a 'data breach' is and the types of data breaches most likely to affect your organisation;
- what an 'eligible data breach' is, how to assess whether a data breach is an eligible data breach and, for each step of that process of assessment:
- who is responsible for what actions and decisions;
- what facts and circumstances they need to consider; and
- who needs to be copied and kept informed (including third parties);
- composition of and contact details for members of the Response Team;
- the escalation pathway; and
- trigger points and contact details for escalation to external advisers.
We also recommend including a ready-to-use escalation form as an attachment or annexure to the DBRP.
We have prepared a flowchart describing the process of assessing whether a data breach is notifiable under the Privacy Act which will help you prepare your DBRP (but is not a substitute for a DBRP). This is available on request and can be used as a guide or adapted for inclusion in your DBRP.
How do I ensure staff and employees actually use our DBRP?
An organisation can have the perfect DBRP but it will amount to nothing if it is filed away in an obscure folder on the company intranet and never used.
The best way to ensure awareness of your DBRP is to ensure that every staff member and contractor is made aware of it, trained on it and, where relevant, has the chance to put it into practice. As we know, information retention dramatically improves the more 'active' the style of learning. Don't bore your staff with an online training video or a lecture. Instead, put them in teams and get them to compete in a 'crisis cabinet'-style cyber drill. These sessions can be held virtually and are best run by your privacy officer in conjunction with an external facilitator. We also recommend these drills as essential for those individuals allocated more significant roles (e.g. decision-making roles) under the DBRP.
How do I comply with data breach notification regimes around the world?
Many organisations, particularly those operating digital-first businesses, have operations spanning multiple jurisdictions. A single data breach can also have regulatory consequences across borders. An emerging challenge for organisations operating in such an interconnected business environment is that of multi-jurisdictional privacy compliance.
Running in tandem with legal compliance is the challenge of keeping up with industry standards. A number of industry frameworks for information security compliance (with a focus on technical security controls) are currently vying for popular uptake in the market. However, from our experience advising global companies on privacy compliance, the frontrunner is the ISO/IEC 27701:2019 standard (ISO 27701). ISO 27701 requirements address aspects of data breach notification to enable you to comply with, in addition to Australian requirements, those of the GDPR and the privacy laws in other jurisdictions. While standards like ISO 27701 are agnostic as to specific legal requirements in different countries they provide tools that will help you develop a compliant framework for your organisation across multiple jurisdictions.
Your compliance with data breach notification requirements in multiple jurisdictions can therefore be supported by building out your existing compliance program (e.g. against ISO 27701). Of course, adopting these standards will also support an uplift of other areas of your privacy compliance (i.e. in addition to data breach response and notification).
Your DBRP must accommodate and comply with each relevant country's data breach notification requirements but, somewhat surprisingly, in most cases this is not too difficult. The difficulty is often developing an appropriate DBRP in the first place.
Should my organisation take out cyber insurance?
Given the terrifying frequency at which data breaches now occur, the size of penalties being sought and obtained and the considerable damage to an organisation's reputation that flows from a major data breach, we believe it is becoming increasingly important to take out appropriate cyber insurance. Cyber insurance should be considered as part of a broader Board-level assessment of your organisation's risk profile and appetite. However, be warned, there is no 'one size fits all' cyber insurance policy. Also, take care to ensure that your policy is appropriate to the Australian cybersecurity and privacy regime (i.e. it is not simply imported from the EU or the US).
Next steps for your organisation
With cybersecurity now undeniably a Board-level imperative (and part of directors' duties), the time to get your house in order is now. Start by:
- preparing your DBRP;
- aligning your IT security program with legal compliance and corporate strategy; and
- running cyber drills for your staff and contractors.
Please don't hesitate to get in touch with us if you have any questions or require any assistance with the matters raised in this article.
Originally published by Mills Oakley, July 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.