Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
February 22nd is fast approaching, this is the day that mandatory data breach notification (MDBN) finally becomes law in Australia. However, many organisations don’t understand their obligations under the more stringent requirements. There’s plenty of information circulating that’s adding to the fear, uncertainty and doubt (FUD) of Australian company executives and compliance teams as to what the new laws mean for their business. The problem is, under the new rules, organisations could be exposed to the risk of fines and costly investigations should an incident result in personally identifiable information being misused or misappropriated from their care. There are significant penalties for non-compliance and there is a real risk of reputational damage in the event of a breach. For these reasons business leaders need to understand their obligations and prepare compliance methodologies.
The nature of the MDBN laws means that, while the intent is to get organisations to better protect the data in their care, anyone aggrieved by that organisation might become a whistle-blower. Even if you have done your due diligence and believe a cyber-attack doesn’t put your data at risk, members of your customer base, disgruntled employees or competitors might take it upon themselves to post about it on social media or tell the local newspaper. If the Office of the Australian Information Commissioner (OAIC) is the last to find out and it turns out to be a legitimate, notifiable personal data breach that the organisation ignored, they will have the full wrath of the OAIC (coupled with a costly investigation and possible fine) to deal with.
Organisations must adopt a cogent and well-considered strategy to deal with incidents, including a plan for how to deal with the press, since this kind of exposure can irreparably damage a business. If you’re one of those that think all publicity is good, whether it’s positive or negative, here are four words that will make you think again – Australian Bureau of Statistics.
If your organisation is hacked, yet you are unsure as to the extent of the compromise, the first thing to do is kick off the incident management plan and start an investigation. This incident management plan includes containing the breach and following your rehearsed steps for dealing with an attack, including drafting PR statements, communicating with executives and a deeper technical analysis of what happened. Your incident response team will analyse system and application logs, looking for evidence of the attacker’s intrusion into each of your important systems. At this stage, and this is T+0 (i.e. the moment you find out you’ve been breached), you should consider this incident an ‘eligible data breach’ under the MDBN law, of the highest priority and start preparing the official statement (known as a notice) that you will send to the OAIC and the notice you will send to affected individuals. Supporting information to assist the OAIC understand the nature of the breach may also be provided if appropriate.
The OAIC may contact you shortly after you give notice to talk through your incident response activities to date to understand how the investigation is unfolding. If they believe you have everything under control, they will likely leave you to it. However, if they do not think you have the situation under control, they may decide to become involved. The OAIC has the power to investigate incidents involving the compromise of personal information. If you’ve tried to mislead or downplay the severity of the incident, they will soon find out and at that stage their approach may become more confrontational. If the OAIC launches a formal Commissioner Initiated Investigation (known as a CII), this will include a deep dive into processes, technology and even personnel security measures in your business, so it can become intrusive and incredibly time consuming. The reality is, however, that the OAIC, like any other central government department, works on a limited budget and has limited staff and resources to conduct investigations of this kind, so higher profile breaches will be given priority, such as when the Red Cross donor database was exposed in October 2016. In a public statement, OAIC has acknowledged that they intend to work on assisting organisations to be compliant with the new privacy legislation rather than punishing organisations for not, so their approach is fundamentally cooperative and encouraging.
The most likely consequence of not reporting an ‘eligible data breach’ is that the OAIC finds out about it through the media or an aggrieved consumer and launches their own investigation. Any decision not to report must follow a proper assessment of whether the incident is notifiable under the new laws. Not reporting should never be simply an accepted default, since it opens the company up to the risk of a hefty fine and the possibility of being named and shamed in the media for trying to cover it up. These outcomes are bad for business, so it’s important that if the decision is made to not report a breach, even if it is because you firmly believe you don’t have to under the new laws, you need it to be signed off as an executive company decision. If you are unsure as to what you should do in any given circumstance, you should ask a lawyer who understands Australia’s privacy legislation, and if possible, someone who specialises in information security matters.
If you have not reported the breach and the OAIC investigates your organisation and finds it at fault – either intentionally or accidentally – they may decide to pursue litigation against the company. Furthermore, your customers may decide to engage a lawyer too, especially where there is a significant breach of personal information, and you may find yourself facing a class action lawsuit.
There are a few limited exceptions listed in the new legislation where organisations or agencies are not obliged to notify an otherwise ‘eligible data breach’; primarily law enforcement agencies, and the national security/intelligence community. Additionally, those organisations with an annual turnover less than $3 million (AUD) are not required to comply with the Privacy Act 1988 and so will not have to comply with the new law. Furthermore, if you have taken remedial action that prevents serious harm to your customers, then you are not required to notify.
MDBN is coming so you need to be prepared. If your business does not have an incident response plan, you should create one and ensure it’s updated with response steps that include gathering evidence for notifications to the OAIC and a communications plan with customers (those affected by the breach). You should rehearse the plan, so that when something does happen, it is not the first time the process has been tried and tested.
To prevent breaches, you should also consider improving your overall cyber security countermeasures. Auditing and alerting should be core to your operational security capability so that you can detect when a breach occurs. Also, consider rolling out an internal training programme of security awareness so that your staff understand the threats from phishing attempts and compromised web servers. Most breaches still start with phishing emails, so creating a security aware culture should be one of the first things you introduce to change your risk exposure.
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.