Australian Mandatory Data Breach Notification Scheme off to a Flying Start

Share on Facebook0Share on Google+0Tweet about this on TwitterShare on LinkedIn0Email this to someone

With 63 reported data breaches in the first six weeks, the OAIC has its work cut out. Australia’s Mandatory Data Breach Notification(MDBN) scheme came into force on 22nd February 2018, and in the first six weeks there have been 63 cases reported to the Office of the Australian Information Commissioner (OAIC).

This much-anticipated update to Australia’s Privacy Act is hailed as a foundational shift in our nation’s stance on information privacy and security matters, where the government now insists entities (companies and government departments that meet the applicability criteria) must notify the OAIC and affected individuals if there is a breach of personal information.

The OAIC has now released their first quarter’s report on notifiable data breaches (NDBs), and while the headline figure of 63 cases is interesting, in the report’s detail there are some incredibly telling statistics that Australian business should heed. Last year, OAIC reported 114 voluntary notifications across the entire year, but in March 2018 alone they have logged 55 individual breach notifications. If this trend continues for the rest of the year, and by all account it will likely grow, we could see a 12-month total of over 600 cases for the OAIC to manage.

OAIC 1st Quarter Report – What does it tell us?

The introduction of mandatory data breach notification doesn’t materially change the Privacy Act’s underlying principles, rather what has changed is what organisations are expected to do when a breach occurs. Until this legislation was pushed through, the mindset of breached companies was to bury the attack for fear of reputational damage. After all, in a highly competitive market, reputation is everything, and why should an organisation advertise the fact they were negligent with their customers’ information when it could cost them business. Yet it’s this mindset that mandatory notification is supposed to change. In other parts of the world, such as the United States, governments have already introduced more stringent legislation, with even tighter control in the European Union with the new General Data Protection Regulation (GDPR) coming in.

Under the Privacy Act 1988, Australian organisations have an obligation to secure any personal information they hold. This legislation has been in place for the last thirty years, yet our recent changes mean organisations now must notify those affected (and the OAIC) when personal information is involved in a breach that could cause “serious harm”. These data breaches are referred to as ‘eligible data breaches’ and in all cases, eligible data breaches must be reported to the OAIC.

A data breach notification provides individuals with the chance to take steps that reduce their risk of experiencing harm, such as changing relevant passwords for online accounts. This can reduce the overall impact of a breach. More broadly, the transparency provided by the NDB scheme reinforces Australian Government agencies’ and businesses’ accountability for personal information protection and encourages a higher standard of security.

Australian Information Commissioner and acting Privacy Commissioner, Angelene Falk

The OAIC’s Privacy Commissioner, Angelene Falk, says our new mandatory data breach notification laws will help improve Australia’s understanding of the issues associated with cyber security and breaches and will “promote a proactive approach to addressing security risks.”

Several important points are raised in the OAIC’s report:

  • The primary industry sectors making notifications under the new legislation are health, legal, accounting and management, followed closely by finance, private education, and charities;
  • The majority of eligible breaches involve an individual’s contact information, while the rest involve a mix of health and financial information; and
  • Over half of eligible breaches were caused by human error

The clear majority of data breaches (73%) reported in this period affected less than 100 people, yet that leaves 27% affecting more than 100, and three specific breaches affecting more than 10,000 individuals..

What can businesses do to better prepare to deal with cyber security issues and ensure, when a breach occurs, they contain the threat and report appropriately to those affected and the OAIC?

Security Information and Events

A variety of factors can affect an organisation’s security posture, including how diligent they are in patching their computer systems and how well they keep their computers free of malware and viruses. Furthermore, the more mature organisations will instil an audit regime, whereby user actions are logged, and they can investigate unusual or suspicious behaviour. With human error as the largest cause of breaches reported to the OAIC, it’s incredibly important that organisations don’t only focus on addressing the threat of attackers. Human error is defined as an inadvertent disclosure, often caused by the user accidentally sending something containing personal information to the wrong recipient. Furthermore, a user might forward work-related documents to their personal email system – with the intent of working at home to finish a project – or take those files off the organisation’s network on removable media, all with good intentions.

Managing Data Breach Notification – How can Technology Help?

Many of the breaches that get reported to the OAIC could have been avoided with the right assurance protocols introduced into the business. User training is the top control, making it clear to users what is acceptable and what is not. If users don’t know they shouldn’t email their work to their Gmail account, then you can’t blame them for being diligent and wanting to work extra hours.

Yet after all the user training, policy and procedure writing and expectations placed on users to do the right thing, there are still breaches that will occur as mistakes happen and criminals want your data. This is where security information and event monitoring (SIEM) systems and user entity behaviour analysis (UEBA) systems come in. A SIEM will ingest all the data produced by operating systems, application and network devices as users process and store data. Every action on a Windows operating system, for example, can be logged, and that audit trail can be used to investigate what happened, should you suffer a breach. However, that’s retrospective, so what’s really needed is a proactive approach to detecting breaches, where we can detect the attack as it begins, catching it before serious harm is caused.

UEBA systems ingest all those vociferous logs files, along with any other relevant security information, and mine the data for indicators of attack. Over a short period of time, the UEBA technology will learn what normal behaviour on your systems looks like, building a model that can then be correlated against the real-time flow of security information entering the SIEM. For example, if the normal ebb and flow of data through your Internet connection looks like a typical distribution curve, a sudden spike overnight will trigger the UEBA system to raise an alert. The alert won’t necessarily mean there is an attacker stealing data, but the change in what’s considered normal is worthy of investigation.

Mandatory Data Breach Notification – The Implications

Every organisation that falls within the scope of the OAIC’s Mandatory Data Breach Notification legislation must consider how it can improve the security of its people, processes and technology. Hiring security professionals, those who are trained and experienced enough to understand how to fully protect an organisation, can be an extremely costly exercise, which is why as-a-service security models have appeared over the past few years. For the price of a junior security staffer you can now take on the services of a Managed Security Service Provider (MSSP), who provides the SIEM tool, the UEBA technology and team of experienced staff working around the clock to properly rebalance the security equation.

Huntsman Security can work with you to ensure you get the very best cyber security protections for your business, whether it’s insourced or outsourced, to ensure you stay on the right side of Mandatory Data Breach Notification legislation, keep your customer information safe and keep the bad guys out of your network.

Discover preventative strategies to minimise the number of data breaches – download our Personal Data Breach Mitigation 4 Step Best Practice Checklist