Annelies Moens, Managing Director at Privcore, discusses mandatory data breach reporting one year on and, simple and effective steps to mitigate cyber and privacy risks. This article is the conclusion to her two-part series which recaps the key points from her recent presentations on Data: Your Organisation’s Core Business and Your Obligations, at the Inaugural Employment Taxes and Financial Obligations Conference, and on the Privacy and Mandatory Data Breach Notification Regime: Data – Your Client’s Core Business, at the 6th Annual 10 Points in One Day. Read Part 1 here.
The mandatory data breach reporting scheme has been in effect since 22 February 2018. In its first year, we are on track for ~1,000 data breach incidents to be reported to the Office of the Australian Information Commissioner (OAIC). Between 22 February and 31 December 2018, 812 data breaches have been notified to the OAIC, averaging 20 notified data breaches per week.
Generally two-thirds of notified data breaches are due to malicious or criminal attacks and one-third due to human error. In the malicious or criminal attack category, cyber incidents dominate, representing 68% of the reported data breaches based on the Oct-Dec 2018 quarterly statistics report from the OAIC. It is elucidating to break down the cyber incident category as, contrary to common beliefs, hacking only represents 8% of the problem.
The largest cause of cyber incidents are phishing attacks (43%), with a further 24% also due to compromised or stolen credentials which may include phishing, bringing this category to a total of 67%. These statistics have been similar each reporting quarter which suggests that Australian professional service firms and other targeted sectors are doing little to minimise this risk. This risk can be mitigated through the adoption of two-factor or multi-factor authentication. With multi-factor authentication enabled, should a phishing attack cause user names and passwords to be compromised the attacker is going to find their attempt significantly thwarted if a further step is required before gaining access to the account. In an earlier article, I discussed the differences between the types of two-factor authentication methods, with hardware tokens and software tokens being the most secure and sms two-factor authentication being the least secure (though sms is a little better than not having two-factor authentication implemented).
Multi-factor authentication is essential under the Privacy Act
Australian Privacy Principle 11 outlines regulated entities’ obligations in terms of securing personal information from misuse, interference, loss and unauthorised access, modification or disclosure. It requires that “such steps as are reasonable in the circumstances” must be taken. Multi-factor authentication is a reasonable step to take to secure personal information. If that reasonable step (multi-factor authentication) is not taken, then the regulated entity is in breach of the Privacy Act. An interesting dialogue the Australian Information and Privacy Commissioner had with Senators during Senate Estimates hearings on 22 October 2018 support this interpretation. The relevant parts of that exchange have been reproduced below:
Australian Information and Privacy Commissioner – Angelene Falk:
“the main issues that we’re seeing in terms of cyber are around compromised credentials. An email might be sent or a text sent-phishing-purporting to be from a legitimate institution and luring an individual or tricking them into providing their password or log-in information. That’s why some of the messaging that we’re now able to do coming out of these reports is to look at the kinds of ways that could be prevented. One way is to have multi-factor authentication in place”
“Do you have the authority to impose that (multi-factor authentication) on organisations, or only to suggest?”
Australian Information and Privacy Commissioner – Angelene Falk:
“Under the Privacy Act the test is that they must take reasonable steps to protect personal information. The kinds of measures I’ve outlined are reasonable steps. If they fail to have those in place, an individual could make a complaint or indeed I could investigate on my own initiative.”
Type of breaches that need to be reported
The intent of the mandatory data breach reporting scheme is to help those affected by a data breach to minimise the harm they may experience, whether through identity theft, reuse of stolen passwords and other credentials to compromise other accounts, financial loss, embarrassment, reputation damage or other harms. The scheme applies to all entities regulated under the Privacy Act. This includes federal government agencies, ACT government agencies, private sector entities with an annual turnover greater than $3 million and some small businesses regardless of turnover, such as health service providers. It also applies to otherwise exempt small businesses if they handle tax file numbers. Hence, the obligations under the mandatory data breach reporting scheme will apply to small professional service firms in relation to TFN information that may be breached.
An ‘eligible data breach’ as defined in Part 3C of the Privacy Act must be notified when
“(a) there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by the entity; and
(b) the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates.”
Entities have 30 days in which to undertake their assessment. Under the General Data Protection Regulation similar data breach notification requirements require notification to occur within 72 hours of discovery.
The term serious harm is undefined in the legislation. The explanatory memorandum accompanying the bill, however, provides examples of serious harm. This includes unauthorised access to permanent information relating to an individual that cannot be changed, such as their date of birth. It is for this reason, alone, that entities that do not require the collection of this data point should never collect it, as it escalates risk enormously. Many organisations simply need to know that someone is over 18 or an age range, which presents much less privacy risk. Disclosure of address details may also cause serious harm, especially in circumstances where domestic violence is at play or restraining orders are in effect.
There are some exceptions to notification requirements, including where action is taken to remediate before the breach is likely to result in serious harm. This could, for example, occur when an email containing personal information is inadvertently sent to an incorrect recipient, and that recipient is contacted and advised of the mistake and asked to delete it, and the sender is confident that the incorrect recipient has deleted that information.
Another important exception relates to when multiple entities are involved in the same data breach, for example involving subcontractors or vendors. As long as one of those entities has undertaken the notification, then the law treats this as having been done for all entities. A real example of this was the PageUp data breach that occurred in mid 2018, for which the OAIC received over 50 notifications, when one would have been sufficient. Contracts between sub-contractors and contractors need to address which party will undertake the notification obligations when a data breach takes place.
Should notification be required after the relevant assessment has taken place, the notification itself must set out the following:
- The identity and contact details of the entity
- Description of the data breach
- The kind of information in the data breach
- Recommendations on what affected individuals should do in response to the breach
Unfortunately, data breaches are a common place occurrence and the lack of care organisations are demonstrating in their stewardship of the personal information of their customers must be addressed. However, there are simple steps to mitigate and manage these risks as outlined in this article (Part 2) and Part 1.
Annelies Moens, CIPT, FAICD, CMgr FIML is a widely recognised global privacy expert and thought leader, trusted by business executives, government and privacy professionals with close to 20 years’ experience. She is Managing Director of Privcore and cofounder of the International Association of Privacy Professionals in Australia and New Zealand. She held elected roles during her six year Board term, including as President. She has held several senior leadership roles, including as Deputy Managing Director of a privacy consultancy, External Relations Manager at an online legal publisher, Group Manager and Chief Privacy Officer at a copyright licensing agency, and Deputy Director at the Australian privacy regulator. Annelies has an MBA in general international management (distinction) from the Vlerick Business School in Belgium, is a qualified lawyer, has undergraduate degrees in computer science and law (first class honours) from The University of Queensland, Australia.