ICDA Home  |  Our Community  |  About Us  | 

data breach laws Feb 2018 update

Cyber risks: Have you acted on new data breach laws?

By Matthew Schulz, journalist, Our Community

Cyber crime, Foter

Don't be caught unprepared.. Picture: digital content via Foter

AUSTRALIAN not-for-profits must comply with new laws that require them to notify authorities if they've had a significant data breach.

The news laws came into effect on February 22, 2018, which means any breaches after that date must be reported.

The law requires not-for-profits with more than $3 million in annual turnover to notify authorities of data breaches.

Organisations face fines of up to $2.1 million for breaches.

Aon insurance's national practice leader for cyber risk, Fergus Brooks, says that in the past among not-for-profits, and others, there has been "a culture of not telling people when they've lost people's data".

But the expert from the Our Community insurance partner says not-for-profits deal with "very private records because of the nature of their business", and that can't go unregulated.

His industry has been buzzing with suggestions that the Federal Government is ready to "throw the book at organisations that aren't sufficiently securing the information they're trusted with".

"I think they've got their eye on some organisations already," he says.

"Now it's crunch time and you don't want to be the one that is made example of."

Our tougher Australian laws are being mirrored in the US, Asia and Europe, with many not-for-profits doing business in those countries.

The Office of the Australian Information Commissioner (OAIC), said ahead of the new laws being enforced, it had worked with consumer groups, not-for-profits, and Australian Government agencies in the development of new resources aimed at clarifying the new rules.

The Australian Information Commissioner, Timothy Pilgrim, said, "the Notifiable Data Breaches scheme formalises a long-standing community expectation to be told when a data breach that is likely to cause serious harm occurs.

"The practical benefit of the scheme is that it gives individuals the chance to reduce their risk of harm, such as by re-securing compromised online accounts. The scheme also has a broader beneficial impact - it reinforces organisations' accountability for personal information protection and encourages a higher standard of personal information security across the public and private sectors," Mr Pilgrim said. 

Those resources can be accessed here:

IN DEPTH: Guidelines about the Notifiable Data Breaches scheme (Office of the Australian Information Commissioner)

NEW RESOURCES:  Data breach guidance from the OAIC

WHAT YOU MUST DO: Steps to take in case of a data breach notification (OAIC)

What's your plan of action?

Not-for-profits should already have a plan of action to be implemented if a breach or a cyber attack occurs.

Depending on the organisation, this could include having an insurer, legal advisers, public relations experts and information technology experts on hand to assist with a crisis.

Not-for-profits should develop an "incident response plan" and test it, Mr Brooks says.

"Let's say you get an email demanding $5000 or they'll release some private information. What are you going to do next?"

This includes your immediate "incident response" reaction in the first 24-48 hours, which may include determining what type of attack has occurred and how to protect remaining data.

The secondary part of your plan should assess how you're going to respond to any regulatory or legal claims, with the risk of class actions in Australia increasing.

"It's not difficult, and there's plenty of organisations - and Aon is one of them - where organisations can get help," Mr Brooks says.

More about the new data breach laws

The much anticipated Privacy Amendment (Notifiable Data Breaches) Bill 2016 come into force on February 22, 2018. The new law makes it mandatory to notify the Office of the Australian Information Commissioner (OAIC) and the affected individuals if your organisation has a data breach. This is Aon's advice.

Who do the changes apply to?

The new law applies to public and private organisations that are already subject to the Privacy Act. This includes Australian government agencies (excluding state and local government) and all businesses and not-for-profit organisations with an annual turnover more than $3 million.

When will the new law come into effect?

The new law came into effect on February 22, 2018.

What happens if you don't comply?

If your organisation doesn't comply with the new laws, you could face penalties including fines of up to $360,000 for individuals and $1.8 million for organisations.

Aon says these financial implications will require a systematic change of attitude for many organisations, and conversations about cyber risks and data security need to be elevated to boardroom level.

How can your organisation prepare?

Aon recommends that organisations affected by the new law act immediately - appoint a steering committee to address the new law changes, run a full risk assessment, and consider your insurance coverage to ensure your organisation is prepared when the law comes into effect.

If you're not prepared you'll WannaCry

Despite global cyber attacks that brought down government sites across the world early in 2017, Australian not-for-profits have been relatively slow to act to protect themselves from inevitable attacks and data breaches.

Those ransomware attacks swept the globe, targeting governments, major firms, hospitals and other essential services.

The "Petya" virus spread hot on the heels of WannaCry, with both viruses encrypting data on computers, and attackers demanding payment in crypto-currency Bitcoin to unlock the data.

One security expert, Richard Metcalfe from FireEye, quoted in The Australian, says the only reason Australia wasn't hit hard by the WannaCry virus attack in May 2017 was that "many of us were at the pub".

It was simply "pot luck" that the virus happened to strike Friday night Australian time, which is why so many other countries took such a big hit, Mr Metcalfe told the outlet.

And while Microsoft's most recent security report shows 3.5% of computers in Australia were hit by malware in March - less than half the global rate - there's no guarantees the figure won't skyrocket with a significant attack.

cyber hacker

Not-for-profits can't afford to be lax with data security and privacy. Picture: Christoph Scholz/Flickr

It is big businesses that have got the attention of hackers in the most recent big attacks.

They include credit reporting agency Equifax, with a hack revealed in September that affected 143 million customers, causing its share price to plunge.

In the same month, another report revealed huge accounting firm Deloitte had been targeted in a sophisticated attack that compromised confidential advice.

But not-for-profits aren't immune.

One US not-for-profit lost 500 records containing tax and personal finance details, which were posted for sale on the "dark web".

Not-for-profits an easier target

Mr Brooks says not-for-profits shouldn't think they're immune because they're a smaller target.

"There's a misnomer that cyber criminals are going after the top end of town," Mr Brooks says.

"But they're much harder targets compared to smaller organisations, which are often more willing to pay the $10,000 to retrieve data from a ransomware attack."

He says six-figure costs are quite likely for organisations that get hit by a hacker.

"Cyber criminals certainly don't discriminate, or have morals, when it comes to whether or not they'll target a not-for-profit."

Many smaller organisations don't reveal if they've suffered a data breach or attack, for fear of the reputational damage, but that is about to change with the new federal laws .

Yet the US-based National Cybersecurity Center says months after the warnings following the global attacks, for most small and medium organisations, cybersecurity "hygiene" - or proper training and procedures - was "sorely lacking".

Its chief executive, Ed Rios, says the problem is too often ignorance, with 75% of attacks a result of human error, usually clicking on a malicious link or using a weak password.

Fergus Brooks

Time to increase vigilance

That lax approach is no different in Australia, says Mr Brooks. 

"What tends to happen after a major attack is a whole lot of noise, which prompts people to patch things up," he says..

Since the attack, smaller not-for-profits had forgotten about the risk and were demonstrating less vigilance than bigger organisations.

"We're continuing to see claims for ransomware, but it is now more coming from the small to medium rather than the corporate sectors," Mr Brooks says.

"It's not a matter of if something bad happens, but when something bad happens, whether it's dropping a USB key, tablet, or laptop; or that someone targets you because they've decided they hate your organisation because of your religious or political stance."

So what are the risks?

New laws and continued attacks are a sobering reminder of the cyber risks now faced by organisations of all types.

Without a plan of action, your organisation's data could be compromised, putting confidential information, stakeholders' contact details, private health files, and mission-critical software at risk of exposure or deletion.

Mr Brooks says key cyber risks for not-for-profits revolve around the sensitive information they hold, such as personal and healthcare information.

Threats to organisations from cyber breaches include:

  • business interruption leading to income losses and expenses
  • the cost of restoring data
  • notification and investigation costs
  • the costs of any extortion
  • public relations and communications costs
  • legal costs linked to privacy, defamation, damages and intellectual property claims
  • fines and penalties.

During 20 years working in information security, Mr Brooks has seen dramatic growth in cyber crime, with 85% of attacks now linked to ransomware coming from regions including eastern Europe, Taiwan, China, and the US and from home-grown cyber crooks.

Those attacks involve hackers using legitimate-seeming emails or software to bait users into activating computer viruses that scramble data.

Victims are issued with demands to pay a ransom to regain control of their computers, and in some cases criminals will sell or threaten to release the data they've harvested from hijacked computers and servers.

But despite all the warnings - and even after security awareness training - "people are still clicking on that link", as criminals develop increasingly sophisticated methods to entice victims, Mr Brooks said.

Baiting methods include faked emails from senior managers, timing attacks for when people are on leave, and conducting rigorous background research about organisations before attacks.

Recent Aon client seminars have highlighted confusion about how the new laws will work, but Mr Brooks says any "serious" breach - even the release of a single sensitive email - could require organisations to notify authorities.

Cyber-protect your organisation now

The government Australian Cyber Security Centre says organisations should do the following to protect themselves from cyber attack:

  • Patch and update systems immediately, including Microsoft operating systems. Using unpatched and unsupported software increases the risk of cyber security threats such as ransomware.
  • Back up your data. If you do not have backups in place you can arrange to use an off-site backup service. This is good practice for all users.
  • Ensure your antivirus software is up-to-date.
  • Individuals and organisations are discouraged from paying the ransom, as this does not guarantee access will be restored.

Mr Brooks says the attacks this year are "the same vulnerability being exploited". 

"Patches are out there, but the reason this can still happen is that people either still haven't patched vulnerable systems, or they are unable to.

"In the Petya attack, the ransom is just $US300. So it's not targeted at any business in particular, just anyone who's silly enough to pay it. It's not clear even if you do pay it that you'll get the digital key to unlock your data." 

Mr Brooks says the reasons why organisations may be unable to patch their systems include:

  • They are running legacy applications that won't work with updated versions of Windows (the UK's NHS had this problem)
  • They are running illegal pirated copies of Windows that can't be patched
  • They have IT officers who don't have full oversight of their network, or haven't made cyber threats a high enough priority.

"It's not that firms aren't aware of the problem, it's just not in the line of sight, or nobody's sure who is managing it."MORE INFORMATION:

Aon offer: NFP cyber insurance

Special alert: What is ransomware all about? (courtesy Aon)

Defence Department's top four methods to mitigate targeted cyber intrusions

Office of the Australian Information Commissioner guidelines for handling data breaches

From Our Community: Damn Good Advice on Cyber-safety and Fraud Prevention

More Our Community News

This article updates our earlier report, following the WannaCry attacks and news of the data breach changes.




NFP special coverage: Develop your digital strategy.

Training
View All