Annelies Moens, Managing Director at Privcore, discusses mandatory data breach reporting one year on and, simple and effective steps for schools to mitigate cyber and privacy risks. This two-part article series recaps the key points from Annelies’ recent presentations on Data: Your Organisation’s Core Business and Your Obligations and on the Privacy and Mandatory Data Breach Notification Regime: Data – Your Client’s Core Business. Below is Part 1.
Educational bodies, in particular schools, that handle the personal information of minors need to be aware of key privacy and cyber risks facing their organisations. They are major targets for cyber incidents and, since reporting began from 22 February 2018, have consistently been the top four target in the data breaches that have been reported to the Office of the Australian Information Commissioner. In relation to the education sector, these reports focus on private education providers and the Australian National University, as public schools are covered under state and territory legislation.
Schools are targets because they hold large amount of children’s and parents’ personal information. Commonly breached type of data includes contact information, financial details, identity information and tax file numbers. The top targeted sector is the health care sector. This article focuses on steps educational bodies can take to address their risks.
The mandatory data breach reporting scheme
The mandatory data breach reporting scheme contained in Part 3C of the Privacy Act 1988 (Cth) (the Privacy Act) as amended applies to all entities as regulated under the Privacy Act. This includes federal government agencies, ACT government agencies, private sector entities (including private education providers) with an annual turnover greater than $3 million and some small businesses regardless of turnover, such as health service providers. It also applies to otherwise exempt small businesses if they handle tax file numbers.
In any event, all educational providers should heed the requirements as set out in the Privacy Act as a data breach can result in loss of customer trust and reputational damage. As outlined further in this article, risks can be minimised through simple mitigation strategies. Customer concerns are escalating, so how educational providers manage children’s and parents’ data is a matter that requires serious attention. In a recent survey that the ACCC commissioned as part of its Digital Platform Enquiry in late 2018, it asked over 4,300 adults the following: “compared to one year ago, how concerned are you about the privacy of your personal information on digital platforms?” The results showed that 54% were more concerned.
Top Global Risks
Two of the top five global risks likely to eventuate as reported in the World Economic Forum’s Global Risks Report 2019 are data theft or fraud and cyber attacks. The remaining top risks related to climate change events. Common privacy and cyber risks include:
- Over collection of personal information
- Never deleting data – it is easier to keep data than to delete it due largely to the increased storage and processing powers of computers
- Third party arrangements with vendors and suppliers that may not protect personal information – example outsourcing and cloud
- Phishing attacks
- Human error – for example emailing personal information to the wrong recipient
- Loss or theft of data – for example losing a USB
So, what happens WHEN you have a data breach?
I always like to ask my clients four key questions, and if they can answer these questions, then they are well on their way to being able to manage a data breach when it occurs.
1) How will you know you have been subjected to a data breach?
2) What’s the impact of a data breach?
3) How do you minimise the risk/impact of a data breach?
4) How do you implement a data breach response plan?
It is not necessarily immediately obvious when your school has been subjected to a data breach. Whilst it only takes hours for data to be stolen or corrupted, once your system has been infiltrated it can take months and sometimes years for the attack to be discovered. In the 2018 IBM Ponemon Data Breach Study, the average time to discover a compromise was 6.5 months. This study included a sample of 24 Australian organisations (representing 5% of the surveyed population). Once the breach is discovered, it can still take months to contain. So, much more effort and resource is required to detect and contain cyber incidents.
The impact of a data breach can be crippling. Cyber incidents often reach the press without the affected entity controlling messaging, which is especially the case if they have been trying to hide the breach. That is a flawed strategy. Reputation and trust diminishes, regulatory intervention may occur and the breach will have to be reported to the OAIC if it is likely to cause serious harm to affected individuals. Other impacts include litigation, loss of value and sometimes businesses can shut down, which is the fate that struck Distribute.IT, a former major web hosting provider based in Australia.
According to the 2018 Ponemon Data Breach Study, the average total cost per data breach in Australia in 2018 was approximately $US 2 million. Data breaches caused by third parties, compliance failures or migration to the cloud resulted in higher costs. Costs of data breaches decreased where data breach response teams were deployed or extensive encryption was in place. Malicious and criminal attacks are the main causes and also the most expensive, at $US108 per record in Australia.
It is, of course, with the right leadership support possible to minimise the risk and impact of a data breach. Common mitigation strategies include:
- Only collecting the data needed – be clear about what is optional and what is mandatory – think about creating lean data rather than big data
- Have a data destruction plan in place and execute it
- Have a data breach response plan in place – expect a data breach to happen
- Undertake privacy and phishing training for staff
- Never use the same password across accounts and use complex passphrases – use a password safe program to create and securely store passwords
- Enable multi-factor authentication
- Encrypt all storage devices – laptops and USBs
- Consider cyber insurance and undertake a privacy health check
It is still important to have a data breach response plan in place, even after taking the above mitigating steps, as in the heat of the crisis, rational thinking will decline and stress levels will increase. The Office of the Australian Information Commissioner has produced guidance on managing data breaches. The key steps to undertake include:
1. Contain the breach and perform a preliminary assessment within 30 days (or 72 hours if you are also required to comply with the General Data Protection Regulation in Europe)
2. Appoint a lead person to manage the response team – this person can either be an external person, such as a privacy consultant, or an internal person with decision making power
3. Evaluate the risks associated with the breach
4. Consider whether the breach is likely to cause serious harm and thus triggers the mandatory data breach reporting provisions, if not consider voluntary notification in any event as a matter of good practice
5. Review the incident and take action to prevent future breaches
Part 2 will include an analysis of the mandatory data breach reporting scheme one year since commencement on 22 February 2018.
Annelies Moens, CIPT, FAICD, CMgr FIML is a widely recognised global privacy expert and thought leader, trusted by business executives, government and privacy professionals with close to 20 years’ experience. She is Managing Director of Privcore and cofounder of the International Association of Privacy Professionals in Australia and New Zealand. She held elected roles during her six year Board term, including as President. She has held several senior leadership roles, including as Deputy Managing Director of a privacy consultancy, External Relations Manager at an online legal publisher, Group Manager and Chief Privacy Officer at a copyright licensing agency, and Deputy Director at the Australian privacy regulator. Annelies has an MBA in general international management (distinction) from the Vlerick Business School in Belgium, is a qualified lawyer, has undergraduate degrees in computer science and law (first class honours) from The University of Queensland, Australia. Contact Annelies at firstname.lastname@example.org. You can also connect with Annelies via LinkedIn