Cyber Security Readiness & New Mandatory Data Breach Notification Laws Norton Rose Fulbright Australia April 2018
Purpose This presentation has been commissioned by CyberHound Pty Ltd (part of the Superloop Group) to assist schools that are covered by the Privacy Act in understanding issues around cyber security and obligations to notify of data breaches. This presentation is not intended as legal advice, nor should it be construed or relied upon as such. Readers should be sure to take their own legal advice on any of the issues covered by this publication. Each set of circumstances will be different and legal advice should be obtained. Disclaimer Norton Rose Fulbright US LLP, Norton Rose Fulbright LLP, Norton Rose Fulbright Australia, Norton Rose Fulbright Canada LLP and Norton Rose Fulbright South Africa Inc are separate legal entities and all of them are members of Norton Rose Fulbright Verein, a Swiss verein. Norton Rose Fulbright Verein helps coordinate the activities of the members but does not itself provide legal services to clients. References to ‘Norton Rose Fulbright’, ‘the law firm’ and ‘legal practice’ are to one or more of the Norton Rose Fulbright members or to one of their respective affiliates (together ‘Norton Rose Fulbright entity/entities’). No individual who is a member, partner, shareholder, director, employee or consultant of, in or to any Norton Rose Fulbright entity (whether or not such individual is described as a ‘partner’) accepts or assumes responsibility, or has any liability, to any person in respect of this communication. Any reference to a partner or director is to a member, employee or consultant with equivalent standing and qualifications of the relevant Norton Rose Fulbright entity. The purpose of this communication is to provide general information of a legal nature. It does not contain a full analysis of the law nor does it constitute an opinion of any Norton Rose Fulbright entity on the points of law discussed. You must take specific legal advice on any particular matter which concerns you. If you require any advice or further information, please speak to your usual contact at Norton Rose Fulbright. 2
Contents 1. Cyber security – a rapidly changing and growing problem 2. Increased regulatory and governmental guidance 3. Essential questions for schools 4. New mandatory data breach notification laws 5. Top three priorities: • Have a Data Breach Response Plan • Manage the security of your service providers • Train your staff and students in cyber awareness 3 Cyber Readiness and Mandatory Data Breach Notifications
US$6 trillion Estimated annual cost of cybercrime worldwide by 2021 (Source: 2016 Cybercrime Report, Cybersecurity Ventures)
$3.2 million Average cost to an organisation of a malware attack (Source: 2017 Cost of Cybercrime Study, Accenture)
2.5 Average number of successful security breaches per company each year (Source: 2017 Cost of Cybercrime Study, Accenture)
Environment of data threats
Threats – external & internal Internal External • Passwords too simple or • Ransomware (e.g. infrequently changed WannaCry) • Distributed denial of • Loss of laptops, tablets service attacks (DDoS) and phones - unencrypted • Phishing emails/websites • Staff revealing password – rely on vulnerable and security information to people phishing fraudsters • Malware that gathers or • Improper destruction of intercepts passwords corporate records • Online account hacking • Insecure service providers 8 Cyber Readiness and Mandatory Data Breach Notifications
Key questions • Risk management framework - Are cyber risks an integral part of your risk management framework? - How often is your cyber resilience program reviewed? • Identifying cyber risk - What risk is posed by cyber threats? - Do you need further expertise to understand and manage the risk? 9 Cyber Readiness and Mandatory Data Breach Notifications
Key questions • Monitoring cyber risk - How can cyber risk be monitored and what escalation triggers should be adopted? • Controls - What is the people strategy around cybersecurity? - What is in place to protect critical information assets? • Response - What needs to occur in the event of a breach? 10 Cyber Readiness and Mandatory Data Breach Notifications
Questions for school boards and management • Governance questions – Who is ultimately responsible for the information security of the school? – Which stakeholders (other than IT) are involved in developing the your program and the potential financial impacts that may arise out of a breach? How do these stakeholders interact, and how often do they do so? • Crown jewel analysis – Which systems/databases/data, if affected by a security incident, would have the most significant impact to your school(top 3-5)? – Have you conducted a business impact analysis should those systems/databases/data be lost, stolen, interrupted due to a security incident? 11 Cyber Readiness and Mandatory Data Breach Notifications
Questions for school boards and management • Policies and procedures – Does your organisation have: • an information security program? • a Data Breach Response Plan? • a vendor management program? – For each of these: • Who developed it and/or had material input? Is it multi- disciplinary or IT/security only? • What is the scope of the plan? • Are the organisation and its various business units and subsidiaries currently confirmed as compliant? • When was the plan put in place? Is there a formal process for regularly reviewing and revising the plan? When was the last time the plan was updated? 12 Cyber Readiness and Mandatory Data Breach Notifications
Questions for school boards and management • Threats – What does management believe are the (top 3-5) current threats to the organisation from an information security perspective? – How does management prioritise/identify higher risk threats? – What methods are used by management to identify and forecast new information security threats to the organisation? • Incident experience – What methods and information technology are in place to enable the organisation to detect security incidents as soon as possible? – Number of security incidents occurring over a specified time period? – Number of security breaches (e.g. actual unauthorised access or acquisition of sensitive information) occurring over a specified period of time? – What are the most financially impactful security incidents/breaches (top 3-5) that have occurred previously? – How were the security incidents/breaches managed, and how could this have been improved? 13 Cyber Readiness and Mandatory Data Breach Notifications
Mandatory data breach notification • Substantial new amendments to the Privacy Act 1988 (Cth) • Commenced 22 February 2018 • Introduction of new mandatory data breach notification obligations • The amendments require that “eligible data breaches” must be notified to the Commissioner and affected or at risk individuals • Supplements APP 11.1, Privacy Act 1988 (Cth) • Organisations must take reasonable steps to protect personal information that they hold from misuse, interference, loss and unauthorised access, modification or disclosure • But does not have to be a breach of APP 11.1 to be notifiable 14 Cyber Readiness and Mandatory Data Breach Notifications
Eligible data breaches An eligible data breach occurs where: • an entity holds personal information and is required to protect the information from misuse, interference and loss and from unauthorised access, modification or disclosure; • there is unauthorised access to, or unauthorised disclosure of, personal information held by the entity, or personal information is lost in circumstances where access to, or unauthorised disclosure of, the information is likely to occur; and • a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates. 15 Cyber Readiness and Mandatory Data Breach Notifications
Likely to result in serious harm: relevant factors • The types of information affected • The sensitivity of the information (particularly important for schools given the nature of the information held) • Whether the information is protected by one or more security measures (such as encryption) • If the information is protected by one or more security measures, the likelihood that any of those security measures could be overcome (such as by obtaining the encryption key or 'cracking' the encryption) • The persons, or the kinds of persons, who have obtained, or who could obtain, the information • If a security technology or methodology was used, the likelihood that the persons, or the kinds of persons, who have obtained, or who could obtain, the information and who have or are likely to have the intention of causing harm to any of the individuals to whom the information relates have obtained, or could obtain, information or knowledge required to circumvent the security technology or methodology 16 Cyber Readiness and Mandatory Data Breach Notifications
Recommend
More recommend
