As the new Notifiable Data Breach Schemecomes into effect in Australia as of 22 February 2018, there is now an onus on business to protect and notify individuals whose personal information is involved in a data breach that is likely to result in serious harm.
When most people think of data breaches, they think of sneaky virus attacks with employees being tricked into opening files allowing viruses to penetrate servers, but the reality can be much more mundane, plausible and preventable.
And it’s not all about IT systems and cybersecurity. There have been numerous cases of hard copy records being disposed of inappropriately, sensitive data on USBs lost on the way home or machines being disposed of complete with data on the hard disk. (As a side note, did you know that GrassrootsIT offers a service where your decommissioned hardware is disposed of securely?)
The Notifiable Data Breach (NDB) Scheme affects organisations covered by the Privacy Act – that is, organisations with an annual turnover of $3 million or more. But, if your business is ‘related to’ another business covered by the Privacy Act, or deals with health records (including gyms, child care centres, natural health providers, etc.,), or is a credit provider, then your business is also affected.
Complying with these new laws means more than ringing the bell and notifying your customers and authorities when a breach occurs. Organisations are required to take all reasonable steps to prevent a breach occurring in the first place. This means putting in place the systems and procedures to identify and assess breaches and issue a notification if a breach is likely to cause ‘serious harm’.
The Privacy Act already requires organisations to take all reasonable steps to protect personal information. The new data breach laws merely add an additional layer to assess breaches and notify where the breach poses a threat.
When it comes to data breaches, all organisations must have a data breach response plan.
The data breach plan covers the:
Hopefully all the systems you have in place will ensure you don’t need to deal with a data breach, but if it does happen, you will need to notify various parties, including:
You can notify the Commissioner using this form.
To access the full guide to the Notifiable Data Breach Scheme, you can find it on the OAIC website.
While it’s unknown at this stage what the repercussions will be from a data breach and how the OAIC will police it, it’s important that we get our preparation in place. At the end of the day, making sure we have robust systems to protect the data of our clients should be high on the priority list anyway – this is just another reminder to ensure we have the right policies and procedures in place to back up what we’re already doing.
If you need any assistance assessing the security of your IT systems, contact us today.
In just the last five years, business leaders have changed the tone of their cyber security conversations. It is no longer a discussion about layers of defence or the beefiness of the firewall, instead Directors now understand it’s no longer a matter of ‘if’ but instead a matter of ‘when’ the system will be breached. And the smart companies have already started to shift their resources from preventative techniques to detective ones.
The fact that historical approaches to cybersecurity are no longer good enough is an indication that cyber attackers have become more intelligent and patient, and that the nature of the attacks are more sophisticated. In today’s digital world, this is something business leaders have come to accept.
The perimeter of your network can no longer be defined and effectively controlled, instead attackers have learned to be patient and exploit lower risk vulnerabilities that are usually ignored by internal IT teams, allowing exploits to go unnoticed.
This demonstrates all the more reason Australian businesses need to take cyber security more seriously. The first step will be to focus on predicting where the next risks will be for their business and working pre-emptively to come up with solutions.
There is no better way to demonstrate the urgency of developing formal cyber security plans for your business than looking at some of the big players and the cost of their data breaches:
The brand we know and love, Target was subjected to a malware based attack through a compromised point of sale system that allowed hackers to steal credit card information of customers for three years without detection. Target’s share prices dropped 13.7% the month of announcing the data breach, and said the cost of the breach aftermath was close to $163 million.
This time hackers used more complex exploits. They utilised highly sophisticated phishing, calling employees pretending to be from internal IT teams, and ended up creating fake digital authentication certificates to bypass security systems. The breach allowed the hackers to expose the entire Sony employee email servers to the public. Sony admitted the cost of the IT repairs after the breach totalled $35 million, with the total cost of the breach coming close to $1 billion.
Government departments are especially vulnerable which is why the Coalition has recently introduced an Australian Government Cyber Security Strategy. In the United States, however, the Office of Personnel Management had 22 million government employee records stolen by a contractor who was tasked with performing background checks. The information stolen included employee driver’s licences and passport information.
One of the largest breaches of customer information ever recorded, Yahoo reported in late 2016 that a breach occurred three years earlier in 2013 of over 1 billion user accounts that were compromised by hackers. The cyber criminals took and published the user records which included full names, emails, data of births, secret questions and answers and passwords. Verizon Communications reduced its original take-over bid of Yahoo by $925 million as a result of this breach, with the real implicated cost of the breach not disclosed, the catastrophic effect of the breach has certainly been felt in the reputational damage Yahoo has faced in the media.
This is question most want answered. How can I be breached? With the premise of the question being ‘what can I do to prevent this particular breach?’ The reality is, for close to 60% of cases, attackers will be able to compromise an unprepared organisation within minutes.
Between 70-90% of malware samples were uniquely created to an organisation. This means attackers will likely evaluate your specific business, looking closely at the applications you are running to develop a unique exploit.
The prevalence of phishing is also a very high risk. Two thirds of incidents where a business was compromised included a pattern of phishing. In a recent study by the Ponemon Institute, 23% of business employees open phishing messages and 11% click on attachments within the first hour of receiving them.
Perhaps you’re not in the middle of a take-over bid, but the cost of cyber breaches will still be great. IBM interviewed 1500 organisations and found that the data breach cost per record (that is, think how many paying customers you have ever had in your company records) would amount to between $200-400 per customer. And the costs are growing. You need to consider not only the IT repair and hardware costs, but the reputational damage that will inevitably occur when you are forced to publically disclose your company was breached by the Privacy Commissioner (and the cost of fines if you don’t).
Start by assessing the cyber risks that apply to your business. Look at your cyber maturity and your business objectives:
Cyber threats will continue to rapidly evolve in the years to come. It is now more critical than ever to ensure you remain a step ahead of cyber criminals and your competitors to give your company the edge to grow and succeed securely.
https://techcrunch.com/2015/02/25/target-says-credit-card-data-breach-cost-it-162m-in-2013-14/
http://www.csoonline.com/article/2879444/data-breach/hack-to-cost-sony-35-million-in-it-repairs.html
https://cybersecuritystrategy.dpmc.gov.au/assets/img/PMC-Cyber-Strategy.pdf
http://fortune.com/2017/01/09/yahoo-marissa-mayer-board-verizon-acquisition/
Cost of Data Breach Study: United States, Ponemon Institute LLC, May 2016.
https://www-03.ibm.com/security/infographics/data-breach/
This is a guest post by Gavin McDowell, Chief Security Officer at Gridware Cybersecurity. Gavin is a highly experienced information security expert with over 17 years experience in the IT industry. Gavin McDowell is the Chief Security Officer at Gridware Cybersecurity. Gavin is a highly experienced information security expert with over 17 years experience in the IT industry. Prior to Gridware, Gavin held several senior security roles at Accenture Consulting, Symantec Australia and Westpac Banking Corporation. Gavin has a Bachelor of Computer Science (First Class Honours) from the University of Sydney and a Masters of Business Administration from Macquarie Graduate School of Management.
Grassroots IT is a managed service provider, specialising in Microsoft solutions. Our extensive IT expertise stems from our experience in collaborating with diverse clients across an array of industries and organisational levels.
