Last month the Office of the Australian Information Commissioner (OAIC) released the latest Notifiable Data Breaches (NDB) Report, covering July to December 2019, showing that data breaches have increased by 19% in the second half of 2019. The trend stresses the need for organisations to develop and regularly test a data breach response plan that can help minimise the financial, reputational and regulatory impact of a cyber incident.
According to the OAIC, 67% of breaches were attributed to “malicious or criminal attack,” with human error the second most common cause at 32%. However, even in the case of malicious or criminal attack, the underlying factor was acknowledged to be tied to human error. In order to exfiltrate data and gain access to the network, criminals target employees or third parties via social engineering tactics (often through phishing emails). The OAIC data reinforces the need for Australian organisations to consider humans a critical part of their security strategy and ensure they have a plan to implement and nurture a strong security culture.
Healthcare was again the highest reporting sector, responsible for 22% of all reported breaches. This trend was echoed globally, with a recent report showing 67% of healthcare organisations in the UK suffered some form of security breach over the last 12 months. Health data is often a lucrative target for criminals, as records contain sensitive information that garner high value when sold on the dark web. Interestingly, human error caused 43% of data breaches in the health sector, compared to the average of 32% across all notifications. Also, healthcare entities are often viewed as soft targets given their open environments focused on providing care expediently and efficiently. Security and data privacy are not often thought of as the primary protection in a healthcare setting, as these are sometimes seen as inhibitors to medical care. Finance was found to be the second highest reporting sector, responsible for 14% of all breaches.
So, what are the key learnings for Australian organisations when it comes to data breaches, and how can they better prepare?
Get Notification Right the First Time
While most entities reporting a data breach provided practical guidance to affected individuals as required by the Privacy Act, the report noted some instances where an initial notification did not meet the requirements of the NDB scheme, and a re-issue of the notification was required.
Getting notifications right the first time is critical—not just for compliance reasons but because communicating incorrectly or too early with too little information can cause more damage, both in terms of reputation as well as regulatory actions.
Notifications that lack the right level of information and/or have to be re-issued can also increase the stress placed on the impacted population. Ensuring the notification carries enough information to give the breached population the best chance to act and protect themselves, is critical. Ideally, an organisation should conduct a thorough investigation prior to notifying, so that they can provide concise information about the nature of the breached information to their impacted population. The recommended remediation steps can be provided. For example, if user names and passwords are known to have been involved in the breach, the advice can be targeted to change passwords and to ensure the password is not reused on other online accounts.
Organisations that get notifications right the first time typically:
- Have a breach notification plan in place which includes relationships with crisis management experts such as law firms, PR agencies, cyber insurance carriers and forensic firms
- Have a pre-approved communications plan that is compliant with applicable laws and considers potential negative media impact, and provides sufficient guidance to those impacted. This in turn helps minimise fines or legal costs piling on existing financial losses.
- Have an experienced breach notification partner who can assist with services such as sending letters, emails, setting up call centres and providing monitoring to the breached population. The partner will also have the resources and expertise to guide and optimize all your outreach and remediation efforts, including those directed by PR firms and legal counsel.
- Regularly test all crisis response plans in controlled scenarios, often in tabletop exercises
The Number of Records Breached May Not Reflect the Impact Felt by the Organisation
The reported average number of records breached in the second half of 2019 was 100. However, the size of the population breached doesn’t necessarily reflect the impact that a breach will have on the organisation itself.
Kroll has supported organisations across the globe through breaches as small as five records and as large as 500 million records, and the impact varies on a case by case basis. Depending on the nature of the records taken and the sensitivity of the information, the impact of the breach of 100 records can potentially be significant for the breached population, as well as the entity whose data was exposed. Stock prices and consumer confidence often fall following a breach, and regardless of magnitude and scope, a security incident impacts the reputation of the organisation.
Cybercriminals have also been known to “warehouse” data stolen during a breach, for use much later, when an organisation and the breach population might believe the threat of data misuse has passed.
Australian organisations that have suffered a breach large or small should take the opportunity to assist their impacted population and take steps to minimise the risk of reoccurrence of further breaches.
Understand the Implications of the Breached Data
The NDB report shows 77% of eligible data breaches involved “information” such as an individual’s home address, phone number or email address. This type of information has sometimes been downplayed as “phonebook” information, but it is important to note that this information:
- Can be combined with information from other data breaches or information publicly available on social media, to bypass typical account verification steps
- Can make the art of deception easier for a criminal
The report also states that a third of breaches involved “identity information,” defined as “information that is used to confirm an individual’s identity, such as passport number, driver’s license number or other government identifiers.”
The implications of criminals having direct access to this information can be far reaching for the breached population, potentially resulting in ID theft that leads to services being taken out by criminals in that individual’s name. For example, criminals can, and have, combined just an Australian driving license number with other details such as date of birth and address to take out credit in a person’s name, and they don’t need the physical license at any point in order to achieve this.
Organisations should undertake a review of the data they hold and the measures they are taking to safeguard it—not only within their environment but those of their third-party vendors— with the ultimate goal of reducing the opportunity for that data to be breached.
Going Beyond Compliance Can Help Increase Customer Confidence
The 2019 Cost of a Data Breach Report found that loss of business was a key contributor to data breach costs. Programs that preserve customer trust, such as offering identity and credit protection, can help reduce the loss of customers following a data breach.
With those findings in mind and reinforced by guidance provided directly by OAIC, Australian businesses should plan to not only meet the legal obligations of the Australian Privacy Act including the NDB requirements, but to exceed them in order to safeguard customer trust. This is needed in an age where customers want and expect more and are more willing than ever to switch brands.
The OAIC 2019 Insights Report stated:
“We also encourage entities to move beyond compliance, to effectively support consumers. While the law obliges entities regulated under the Privacy Act to provide transparent and useful information to consumers, it is those entities who focus on the consumer and navigate beyond compliance—to support affected individuals to take steps to minimise or prevent harm in a meaningful way—who will differentiate themselves and maintain trust over time.”.
Organisations should also be aware that the regulatory landscape is changing, and Australian businesses should be prepared for tougher penalties in the future. The Australian government announced its intention in 2019 to draft new legislation that would introduce tougher penalties for data breaches and greater powers for the privacy commissioner. The ACCC’s Digital Platform’s enquiry also recommended further legislative changes to the privacy act that would include a requirement to erase personal information of a consumer on request.
Australia also saw its first successful class action for a data breach in late 2019 that may be a precursor to future class actions. A global snapshot of data breach class actions from law firm Allens Linklaters found that despite unique instances in each class action, the outcome typically involves a “large settlement at considerable financial cost and reputational damage for the company.” Settlements often require more than financial compensation, with the affected company providing identity/credit monitoring and fraud protection at no cost, and committing to substantial IT and information security upgrades.
Proactively addressing cyber risk, regardless of whether or not you have experienced a data breach, should be a part of good governance for any Australian organisation—now and in the future.
Safeguard Privacy at the Speed of Business
The increasingly digital environment in which organisations operate is entirely dependent on data, and the personal information of consumers is often treated as the oil that moves this new digital world. As individuals surround themselves with technology and seek new, speedier ways to engage online, it is fundamental that organisations treat their privacy with the utmost respect.
Organisations that take a reactive approach to privacy present serious challenges to their overall security and risk position and fail to see the opportunity to strengthen consumer trust. Developing a defensible security strategy, supported by an efficient and well-oiled breach response plan, can kickstart the process from which a strong security culture emerges, and you can count on Kroll’s expertise to help throughout the way.