On February 13, 2017, the Privacy Amendment (Notifiable Data Breaches) Bill 2016 marks a very important milestone in Cyber Security in Australia, where mandatory data breach notification laws have finally passed through both the House of Representatives and the Senate. It is now a reality all organisations will be faced with.
The bill, which has been on Australian Government’s agenda since 2015 (and in all fairness several years and governments before that), will make it law for organisations to disclose if their information systems are compromised through cyberattack or other technical failings. While some may argue there are some ambiguities, such as what constitutes “reasonable grounds” and the implication that there only needs to be “suspicion of a serious data breach”, we can all agree that this is a positive step forward. The main benefit is a further step in safeguarding the critical and often sensitive data of individuals and organisations alike.
In essence, if an organisation or individual is aware or ought reasonably to be aware, that there are reasonable grounds that there has been a serious data breach, it must be reported as soon as possible to the Australian Information Commissioner and the people whose data has been compromised. The oft-tried and unreasonably accepted excuse of “we didn’t know” finally ends.
In the past, we’ve read far too many stories of organisations and individuals that covered up data breaches and then suffered the consequences or only disclosed the breach long after the fact and any harm had been done. All involved have suffered as a result of this reprehensible practice and the true numbers may never be known. The introduction of these laws enforces a measure of accountability and allows data stakeholders to take steps to protect themselves much quicker. However, we are foolish to assume that the laws will be an absolute solution; reporting a data breach only occurs after the breach itself has already happened.
Imagine, if you will, that you receive a notification from ABC Financial Holdings that your data “may” have been compromised and they urge you to take steps such as changing passwords and monitoring your accounts for suspicious activity. Wouldn’t you respond more favourably than if you read about a massive data breach at ABC Financial Holdings online that happened over a year ago?
As people, we respond more positively to honest disclosure than deceit and denial.
With non-compliant organisations facing fines up to 1.7M AUD for repeated and serious breaches and fines up to 340K AUD for individuals, absorbing the cost of failing to report a breach is no small sum and, for some, means the very end of their enterprise. While some organisations and individuals may now be experiencing a sense of dread and anxiety, I would urge everyone to take a step back, take stock, and understand there is a way forward.
Remove your hand from the panic button and take a deep breath.
If you have the appropriate resources in-house, organising a team to address these new laws is in order. If, like many organisations you simply lack the skills and resources, engaging a trusted advisor to assist is highly recommended. In some cases, (albeit admittedly rare) it may simply be a brief review and a box-ticking exercise to provide assurance that you are compliant, understand your obligations, and will proceed business as usual.
First, realise it is now time to take stock and understand you probably have some work to do. A foundation based on a solid strategy is crucial. Do you have a current incident response plan that has been independently audited and validated? If, like many, you use either hosted our Cloud-based services, you should be aware of their current status as there may be shared liability. This should be clearly defined and agreed by all parties and if not, get it all sorted out and in writing.
Of course, enacting an incident response plan requires one crucial trigger: the incident itself. Unless you are aware of a breach (and many organisations are not aware they have been compromised until long after the fact) it’s difficult to take action.
So how do we address that shortcoming? Where do we get this visibility? A Vulnerability and Risk Assessment, performed at a high level and keeping these laws in mind would identify your present security posture. Targeted to your specific industry and tailored to your business, an independent third-party assessment lays the groundwork for developing an effective incident response plan and answers many of the “what if” questions you may have. With this knowledge, you can then move on to remediation of the identified issues. In some cases, this means a deep-dive into areas of greater concern identified in this initial assessment.
Visibility is key and the days of relying completely on a firewall and antivirus are long gone. Today’s attackers are highly intelligent, very resourceful, and extremely skilled at discovering and exploiting weaknesses that are both technical and non-technical. Sophisticated attack techniques, coupled with crafty social engineering, can quickly circumvent lax security and, increasingly, even more fortified environments. A defence-in-depth approach to improve security and respond to events before, during, and after an incident is key.
You may wish to follow up a Vulnerability Assessment with a Penetration Test to actively simulate a breach and how your organisation would respond to it. This is nearly always a very unsettling and eye-opening exercise, but justifies the eventual expenditure on bolstering your security and decreasing the likelihood you will find yourself faced with massive fines or worse in the future. I would also strongly recommend acquiring Cyber Insurance if you don’t already have it, and if you do, conducting a thorough review of your policy. This activity can be a massive difference when it really counts.
The outcomes of Vulnerability Assessments and Penetration Tests often drive change, but often only at a technical level where more tools and services are added to an already overcrowded infrastructure. Instead, change at an organisational and process level is often needed and prioritised as people, process, environment, and technology. By being informed of where you are and where you need to be, you can develop your roadmap and define your strategy to connect-the-dots. What cannot be part of a strategy is any element of complacency.
Raising awareness and educating your organisation is but one step. The gap between ignorance and awareness is big, but not nearly the chasm between awareness and action. Your team need to buy-in to this strategy and understand not just what it means to organisation (which, sadly, if often met with indifference or apathy) but what it means to them personally; knowing that your organisation’s reputation is attached to your personal reputation can bit of a wake-up call. By the same token, being recognised as part of an organisation seen as a security leader is a good thing.
Now that you’ve taken stock of where your organisation is with regards to the data breach notification laws, and identified your strengths and weaknesses and begun the process of personal and organisational change, what is next? Avoid complacency and never rest. While the laws themselves may not change, the threats to your organisation are ever-evolving, so once you have achieved a level of compliance, continue ways to improve in each area. Still unsure of how to begin?
Contact us today so we can help.