Cybersecurity – a matter of trust
Key
insights:
The recent spate of reported cyber-attacks reflects both increased frequency and greater reporting obligations under Australian law
In late October 2022, the Federal Government announced a huge increase in the financial penalty to be imposed on companies engaged in serious or repeated privacy breaches
Businesses should ask how much of the personal information they are collecting or retaining about individuals is really necessary and incorporate appropriate information governance processes
The last few weeks have seen a series of cyber-attacks impacting prominent Australian businesses, highlighting concerns about the amount of personal information Australians entrust to corporate Australia and whether this trust is being appropriately honoured.
In the 2022 Optus attack, breached data that was initially collected in compliance with verification of identity requirements for customers was in many cases retained for years after it ceased being necessary, and even included information about former customers for which there is no obvious justification for retention.
On the other hand, the very nature of Medibank Private’s business as a private health insurer involves the collection of highly confidential medical records, and questions are being asked about whether adequate cybersecurity safeguards were in place given the sensitivity of information held. On 21 October, EnergyAustralia revealed that 323 residential and small business customers had their accounts accessed via the company’s MyAccount portal across September-October 2022. These incidents are the latest in a series of cyber-attacks which also included wine retailer Vinomofo and Woolworths’ MyDeal website.
The recent spate of reported cyber-attacks is likely due to both increased frequency and greater reporting obligations under Australian law.
Is data the new oil, or the new asbestos?
Data has been described as the world’s most valuable resource, because of the ability to mine data for all sorts of commercially valuable insights. However, the breach of data, particularly identity records or other sensitive information, has the potential to cause huge harm to individuals, given escalating levels of cybercrime: according to Cybersecurity Ventures, cybercrime were a country, it would be the third biggest economy in the word.
For example, the breach of a simple email address might seem innocuous, but may expose the owner to becoming a victim of cybercrime if they receive an email containing banking malware or with some other malicious purpose. In the case of stolen identity documents, scammers can take out loans, apply for credit cards or government benefits, and open bank accounts in a victim’s name that might be used to launder the proceeds of crime. The disclosure of medical records has the potential for massive breaches of privacy leading to financial loss and very significant emotional and psychological distress in the digital era where it is so easy for information to be disseminated. The reputational impact for any organisation where this harm occurs can be huge - particularly when the people most affected are its customers.
Public attitudes – and the law – are changing
In late October 2022, the Federal Government announced that the financial penalty imposed on companies engaged in serious or repeated privacy breaches will be increased from $2.2million to the greater of $50million, three times the value of the benefit obtained through misuse of data, or 30 per cent of a company's adjusted turnover in the relevant period.
The requirement to disclose Notifiable Data Breaches (NDBs) was introduced into the Privacy Act 1988 in February 2018. The Act generally only applies to organisations with turnover of more than $3million, although this small business exception is under review.
An NDB occurs when there is a breach of personal information which is likely to result in serious harm to the individual to whom the information relates. There is no question that much of the type of information known to have been breached in the Optus and Medibank Private attacks falls within this definition which then required reporting under the Act, both to the individuals concerned and to the Office of the Australian Information Commissioner. In the twelve months following the introduction of the NDB regime there was a telling 712% increase in the number of breaches reported when compared to the previous voluntary reporting regime.
Depending on the size and status of a business there are an increasing number of legal obligations requiring disclosure including:
ASX listed entities are required to comply with the continuous disclosure obligations set out in the Corporations Act and ASX Listing Rules. This requirement extends beyond an NDB and includes an obligation to notify a cyber-attack where this has the potential to impact the company’s share price.
Amendments to the Security of Critical Infrastructure Act 2018 require that specific critical infrastructure assets must report certain types of cyber security incidents to the government, in some cases within 12 hours.
In addition to disclosure obligations there are increasing obligations under the general law and industry-specific regulation:
In May 2022 the Federal Court found Australian Financial Services licensee, RI Advice, breached its license obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cybersecurity risks;
APRA’s Information Security Standard CPS 234 makes clear that the Board of an APRA-regulated entity is ultimately responsible for information security and requires protective measures commensurate with the size of the organisation and threats faced;
Organisations may potentially be exposed to other types of legal claims under the general law for actions such as negligence, breach of contract or breach of the Australian Consumer Law depending on individual circumstances.
This is only a snapshot of the potential legal and regulatory implications of cyber events, without even touching on the reputational and financial costs.
You can’t have a Notifiable Data Breach if you don’t collect or retain information when you don’t need it.
Limiting the information you collect also limits your chance of a breach
Businesses should ask themselves how much of the information they are collecting is really necessary or whether it for another purpose that is less easy to justify. If you’re a telco, should you keep customers’ identity information after the necessary period or after individuals have ceased being your customers? Or, if you’re a retailer, do you really need your customer’s email address and mobile phone number to issue a receipt for a small transaction? Are you collecting personal information for a legitimate purpose or to help you market your products? Is it reasonable to collect this kind of information if you don’t have adequate cyber security in place?
Prevention is better than cure
Anyone who has seen the impact of cyber events on businesses and individuals knows that prevention is key. This involves educating people, implementing good processes and of course applying appropriate technology protections. Effective response to a cyber event involves incident planning and being able to access the specialist support that appropriate insurance can provide. Cyber events are a whole of business risk and expecting the technology team to be solely responsible for prevention and mitigation is not realistic.
Education involves much more than phishing awareness training, it involves building a cyber-aware culture where people understand the value of data and the importance of protecting it.
The Optus breach occurred as a result of a failure to secure information, but its impact on individuals – and Optus – was compounded by the retention of data long after it was no longer needed, and communications to customers that did not adequately explain what to do next.
At this stage it is not publicly known how the Medibank Private attack occurred, but it has been suggested the hacker was able to access the network via a compromised computer where passwords were stored in a browser. The Energy Australia incident apparently occurred due to a brute force attack in which a malicious actor systematically checks all possible passwords until the correct one is found, which was made much more likely as basic passwords of only 8 characters were required. If these reports are accurate, the attacks may have been prevented by stronger password hygiene, which again comes back to education and processes as well as technology factors.
Where to from here?
The risks to consumers of sharing identity information with businesses is not new, but the scale of the Optus breach, which may have impacted nearly half of all Australian adults, has brought the issue to the fore. The government is right to dramatically increase fines for repeated breaches so as to incentivise compliance particularly for larger organisations. A huge challenge, however, is up-skilling and educating small businesses which can also collect highly sensitive data - these can include, for example, medical and legal practices who also collect highly confidential information from clients.
Cybercrime is expected to lead to the biggest transfer of wealth in human history. Assumptions of ‘this would never happen to me’, ‘you need to be a target to be a victim’, or ‘this is a problem I can leave to my technology department’, will only get in the way of protecting individuals, businesses, and customers.