Cyber security a major issue for Australian corporates in 2016
August 2016 | SPECIAL REPORT: TECHNOLOGY RISK MANAGEMENT
Financier Worldwide Magazine
With serious data breach notification legislation expected later this year, and increasing reports of cyber attacks, there is a real focus in Australia on cyber security. This article focuses on key risks and mitigation strategies.
Cyber security is a major issue
The seriousness of the potential impact of cyber attacks is now recognised in all or most boardrooms in Australia, and also by the Australian government. On the Australian government cyber security web page, which hosts the Cyber Security Strategy launched this year, the Australian government noted that: “The risk to the Australian economy from computer intrusion and the spread of malicious code by organised crime has been assessed as high. An increase in the scale, sophistication and perpetration of cyber crime has made it increasingly difficult to identify and defeat. The growing array of state and non-state actors who are compromising, stealing, changing or destroying information, potentially causing critical disruptions to Australian systems, the distinction between traditional threat actors—hackers, terrorists, organised criminal networks, industrial spies and foreign intelligence services—is increasingly blurred.”
Well-publicised cyber attacks, such as the 24 November 2014 attack on Sony Entertainment, and the Ashley Madison data breach in 2015, have also brought cyber security to the broader public’s attention.
Data breach notification
At the moment, the only data breach notification obligation in Australia is restricted to the My Health Records system, which is a Commonwealth Government database containing health information. Section 75 of that Act requires certain participants in that system to notify the system operator and the Australian Information Commissioner of unauthorised collection, use or disclosure of health information, and of any event or circumstance that compromises, has compromised or may have compromised the security or integrity of the My Health Record system. It also requires entities to take appropriate steps to contain the contravention, event or circumstances, to arrange for the system operator to notify affected healthcare recipients and to mitigate the effect of the contravention, event or circumstances.
In March 2016, the Australian Attorney General’s Department released an exposure draft Serious Data Breach Notification Bill. The proposed Bill, entitled the Privacy Amendment (Notification of Serious Data Breaches) Bill, required notification of affected individuals and of the Information Commissioner where an entity had reasonable grounds to believe that a “serious data breach” has occurred. A “serious data breach” was, in broad terms, defined to include unauthorised access to or disclosure of, or loss of personal information “or certain other information” resulting in “a real risk of serious harm” to any of the individuals to whom the information relates. It also includes unauthorised access to or disclosure of, or loss of, information of a kind specified in regulations. “Serious harm” was defined broadly to include physical, psychological, emotional, reputational, economic and financial harm.
The exposure draft Bill does not differentiate between disclosure of information about a single person and disclosure of information about large numbers of people. The effect of this is that a large scale data breach could fall outside of the notification requirement if the data released is not likely to give rise to a risk of serious harm to any single individual. Moreover, single data breaches in relation to a single individual will be notifiable where a real risk of serious harm to that individual arises.
This proposed legislation has been put on hold pending a federal election (held on 2 July 2016). Consideration of a potential Bill, which will no doubt take into account submissions made during the year, is likely to continue after the election in the second half of 2016.
When the government elected on 2 July considers whether to progress the Serious Data Breach Notification Bill, it will no doubt consider whether the “serious harm” threshold is sufficiently well defined. Many people have pointed out, including in submissions to the Attorney-General’s Department, that there are likely to be real practical problems for entities when they try to determine whether or not an individual may be exposed to “serious harm”.
The effect of a data breach on an individual will depend on many circumstances not known to the entity, including the resilience of the particular individuals affected. In those circumstances, there is a real risk that the Information Commissioner will be flooded with notifications by entities of one-off, and potentially minor, data breaches which are likely to be notified to avoid any risk of contravening the legislation. The government is also likely to give careful further consideration to the reference to “certain other information” in the definition of data breach, which requires clarification.
Entities have the option of notifying data breaches prior to the passing of legislation. The Information Commissioner encourages notification, and has released guidelines which explain its preferred approach to data breaches.
Many entities also choose to notify affected individuals about data breaches, and consider that this enhances customer trust and avoids the risk of being accused of covering the data breach up if it is later publicised.
It is also important to bear in mind that in some cases there may be an obligation to report a cyber offence to police or to a specific regulator. For example, in New South Wales, it is a crime which can attract a prison term of up to two years not to report to police a serious indictable offence if you have information likely to be of material assistance to police in apprehending the offender: s.316 Crimes Act 1900 (NSW). Where a cyber incident falls into this category, failure to report it to police can have serious consequences not just for the entity, but also for individuals (and particularly lawyers) who knew about the crime.
Effect of data breach notification obligation
It is widely anticipated that introduction of a broad data breach notification obligation will result in greater understanding among Australian consumers of the extent to which cyber incidents occur. It will result in more entities notifying the Information Commissioner and affected individuals of data breaches. It may well also result in a higher number of security-related complaints and claims against Australian entities. It is important to remember that such claims may include negligence claims, as well as claims for interference with privacy.
Cyber insurance. Cyber insurance is becoming increasingly common as companies look to diffuse the risk of a serious incident. Some policies include 24/7 access to panel lawyers and forensics experts with relevant experience as well as coverage for key costs and claims. Careful attention to policy wording is important so that entities understand what risks are, and are not, covered.
Planning for the worst. Entities should now have in place written strategies outlining what they will do if a major cyber incident occurs. This is a good way to ensure that key issues are not missed in the heat of the moment, and also assists to demonstrate compliance with Australian Privacy Principles 1 and 11. APP 1 requires entities to take reasonable steps to implement practices, procedures and systems that will ensure they comply with the APPs. APP 11.1 requires entities to take reasonable steps to protect the information from misuse, interference and loss, as well as unauthorised access, modification or disclosure.
Cyber incidents can differ very significantly and a key aspect of any plan should be to ensure that people with the right mix of knowledge and authority are readily available when an incident occurs or is identified and urgent steps are required. Legal advice is important at that stage: making the wrong move can lead to breach of surveillance or other laws, which could damage an entity’s reputation more than the original data breach. In addition, remedies are sometimes available which can prevent losses. For example, an injunction can be obtained to retrieve stolen data if it remains within Australia (or another jurisdiction in which relief can readily be obtained).
Cyber security is a high priority for most entities in the current environment. It is not possible to avoid the risk of a cyber incident altogether. However, careful planning can significantly mitigate the risks.
Sophie Dawson and Rehana Box are partners at Ashurst Australia. Ms Dawson can be contacted on +61 2 9258 6513 or by email: firstname.lastname@example.org. Ms Box can be contacted on +61 2 9258 6407 or by email: email@example.com.
© Financier Worldwide
Sophie Dawson and Rehana Box