[PPT] - Cyber Security Readiness & New Mandatory Data Breach PowerPoint Presentation

SLIDE 1

Cyber Security Readiness & New Mandatory Data Breach Notification Laws

Norton Rose Fulbright Australia April 2018

SLIDE 2

Purpose

This presentation has been commissioned by CyberHound Pty Ltd (part of the Superloop Group) to assist schools that are covered by the Privacy Act in understanding issues around cyber security and obligations to notify of data breaches. This presentation is not intended as legal advice, nor should it be construed or relied upon as such. Readers should be sure to take their own legal advice on any of the issues covered by this publication. Each set of circumstances will be different and legal advice should be obtained.

Disclaimer

Norton Rose Fulbright US LLP, Norton Rose Fulbright LLP, Norton Rose Fulbright Australia, Norton Rose Fulbright Canada LLP and Norton Rose Fulbright South Africa Inc are separate legal entities and all of them are members of Norton Rose Fulbright Verein, a Swiss verein. Norton Rose Fulbright Verein helps coordinate the activities of the members but does not itself provide legal services to clients. References to ‘Norton Rose Fulbright’, ‘the law firm’ and ‘legal practice’ are to one or more of the Norton Rose Fulbright members or to one of their respective affiliates (together ‘Norton Rose Fulbright entity/entities’). No individual who is a member, partner, shareholder, director, employee or consultant of, in or to any Norton Rose Fulbright entity (whether or not such individual is described as a ‘partner’) accepts or assumes responsibility, or has any liability, to any person in respect of this communication. Any reference to a partner or director is to a member, employee or consultant with equivalent standing and qualifications of the relevant Norton Rose Fulbright entity. The purpose of this communication is to provide general information of a legal nature. It does not contain a full analysis of the law nor does it constitute an opinion of any Norton Rose Fulbright entity on the points of law discussed. You must take specific legal advice on any particular matter which concerns you. If you require any advice or further information, please speak to your usual contact at Norton Rose Fulbright.

2

SLIDE 3

Contents

1. Cyber security – a rapidly changing and growing problem
2. Increased regulatory and governmental guidance
3. Essential questions for schools
4. New mandatory data breach notification laws
5. Top three priorities:
Have a Data Breach Response Plan
Manage the security of your service providers
Train your staff and students in cyber awareness

3 Cyber Readiness and Mandatory Data Breach Notifications

SLIDE 4

US$6 trillion

Estimated annual cost of cybercrime worldwide by 2021

(Source: 2016 Cybercrime Report, Cybersecurity Ventures)

SLIDE 5

$3.2 million

Average cost to an organisation of a malware attack

(Source: 2017 Cost of Cybercrime Study, Accenture)

SLIDE 6

2.5

Average number of successful security breaches per company each year

(Source: 2017 Cost of Cybercrime Study, Accenture)

SLIDE 7

Environment of data threats

SLIDE 8

Threats – external & internal

Internal

Passwords too simple or

infrequently changed

Loss of laptops, tablets

and phones - unencrypted

Staff revealing password

and security information to phishing fraudsters

Improper destruction of

corporate records

Insecure service providers

External

Ransomware (e.g.

WannaCry)

Distributed denial of

service attacks (DDoS)

Phishing emails/websites

– rely on vulnerable people

Malware that gathers or

intercepts passwords

Online account hacking

Cyber Readiness and Mandatory Data Breach Notifications 8

SLIDE 9

Key questions

Risk management framework
Are cyber risks an integral part of your risk management

framework?

How often is your cyber resilience program reviewed?
Identifying cyber risk
What risk is posed by cyber threats?
Do you need further expertise to understand and manage the

risk?

9 Cyber Readiness and Mandatory Data Breach Notifications

SLIDE 10

Key questions

Monitoring cyber risk
How can cyber risk be monitored and what escalation triggers

should be adopted?

Controls
What is the people strategy around cybersecurity?
What is in place to protect critical information assets?
Response
What needs to occur in the event of a breach?

10 Cyber Readiness and Mandatory Data Breach Notifications

SLIDE 11

Questions for school boards and management

Governance questions

– Who is ultimately responsible for the information security of the school? – Which stakeholders (other than IT) are involved in developing the your program and the potential financial impacts that may arise out

f a breach? How do these stakeholders interact, and how often do

they do so?

Crown jewel analysis

– Which systems/databases/data, if affected by a security incident, would have the most significant impact to your school(top 3-5)? – Have you conducted a business impact analysis should those systems/databases/data be lost, stolen, interrupted due to a security incident?

11 Cyber Readiness and Mandatory Data Breach Notifications

SLIDE 12

Questions for school boards and management

Policies and procedures

– Does your organisation have:

an information security program?
a Data Breach Response Plan?
a vendor management program?

– For each of these:

Who developed it and/or had material input? Is it multi-

disciplinary or IT/security only?

What is the scope of the plan?
Are the organisation and its various business units and

subsidiaries currently confirmed as compliant?

When was the plan put in place? Is there a formal process for

regularly reviewing and revising the plan? When was the last time the plan was updated?

12 Cyber Readiness and Mandatory Data Breach Notifications

SLIDE 13

Questions for school boards and management

Threats

– What does management believe are the (top 3-5) current threats to the

rganisation from an information security perspective?

– How does management prioritise/identify higher risk threats? – What methods are used by management to identify and forecast new information security threats to the organisation?

Incident experience

– What methods and information technology are in place to enable the

rganisation to detect security incidents as soon as possible?

– Number of security incidents occurring over a specified time period? – Number of security breaches (e.g. actual unauthorised access or acquisition

f sensitive information) occurring over a specified period of time?

– What are the most financially impactful security incidents/breaches (top 3-5) that have occurred previously? – How were the security incidents/breaches managed, and how could this have been improved?

13 Cyber Readiness and Mandatory Data Breach Notifications

SLIDE 14

Mandatory data breach notification

Substantial new amendments to the Privacy Act 1988 (Cth)
Commenced 22 February 2018
Introduction of new mandatory data breach notification obligations
The amendments require that “eligible data breaches” must be

notified to the Commissioner and affected or at risk individuals

Supplements APP 11.1, Privacy Act 1988 (Cth)
Organisations must take reasonable steps to protect personal

information that they hold from misuse, interference, loss and unauthorised access, modification or disclosure

But does not have to be a breach of APP 11.1 to be notifiable

14 Cyber Readiness and Mandatory Data Breach Notifications

SLIDE 15

Eligible data breaches

An eligible data breach occurs where:

an entity holds personal information and is required to protect the

information from misuse, interference and loss and from unauthorised access, modification or disclosure;

there is unauthorised access to, or unauthorised disclosure of,

personal information held by the entity, or personal information is lost in circumstances where access to, or unauthorised disclosure of, the information is likely to occur; and

a reasonable person would conclude that the access or disclosure

would be likely to result in serious harm to any of the individuals to whom the information relates.

15 Cyber Readiness and Mandatory Data Breach Notifications

SLIDE 16

Likely to result in serious harm: relevant factors

The types of information affected
The sensitivity of the information (particularly important for schools given the

nature of the information held)

Whether the information is protected by one or more security measures (such as

encryption)

If the information is protected by one or more security measures, the likelihood

that any of those security measures could be overcome (such as by obtaining the encryption key or 'cracking' the encryption)

The persons, or the kinds of persons, who have obtained, or who could obtain,

the information

If a security technology or methodology was used, the likelihood that the

persons, or the kinds of persons, who have obtained, or who could obtain, the information and who have or are likely to have the intention of causing harm to any of the individuals to whom the information relates have obtained, or could

btain, information or knowledge required to circumvent the security technology
r methodology

16 Cyber Readiness and Mandatory Data Breach Notifications

SLIDE 17

Serious harm – insights

The phrase likely to occur means the risk of serious harm to an

individual is more probable than not (rather than possible).

Examples of the kinds of information that may increase the risk of

serious harm if there is a data breach include documents commonly used for identity fraud (including Medicare card, driver licence, and passport details), financial information and a combination of personal information (rather than a single piece of personal information).

The Office of the Australian Information Commissioner considers that a

breach involving the personal information of a very large number of people is likely to result in serious harm to at least one of those individuals.

17 Cyber Readiness and Mandatory Data Breach Notifications

SLIDE 18

Notification of eligible data breaches

Notification
Notification obligations will apply if an organisation is aware that there

are reasonable grounds to believe there has been an eligible data breach

Notification obligations must be complied with as soon as

practicable after becoming so aware

Assessment
Where there is doubt that there are reasonable grounds to believe

there has been an eligible data breach, organisations will be required to assess whether an eligible data breach has occurred within 30 days of becoming aware that there are reasonable grounds to suspect there may have been an eligible data breach

18 Cyber Readiness and Mandatory Data Breach Notifications

SLIDE 19

Notification obligations

1. Prepare a notification statement that contains:

a. the identity and contact details of the organisation b. a description of the eligible data breach c. the kinds of information affected d. recommendations for affected individuals

2. Provide a copy of the notification statement to the Australian

Information Commissioner

3. Notify the relevant individuals

a. If practicable, notify the contents of the statement to: i. each of the individuals to whom the affected information relates; or ii. each of the individuals who are at risk from the eligible data breach b. If that is not practicable, publish a copy of statement on the organisation’s website and take reasonable steps to publicise the contents of the statement

19 Cyber Readiness and Mandatory Data Breach Notifications

SLIDE 20

Failure to notify an eligible data breaches

If the failure to notify is a serious or repeated interference

with the privacy of the individuals that are affected or at risk, then the Commissioner can seek an order in a Federal court that the organisation pays a civil penalty of up to $2.1 million

If you decide that the data breach is not notifiable, but the

Privacy Commissioner takes a different view (especially if serious harm can be proved) you may be in breach

If in doubt, notify

20 Cyber Readiness and Mandatory Data Breach Notifications

SLIDE 21

Other relevant provisions

Remedial measures

Where remedial action has been taken and a reasonable person

would conclude that the remedial action would mean that the access, disclosure or loss of the information would not be likely to result in serious harm to any affected individuals as a result, then the data breach notification obligations would not apply

For example, the recipient of a misdirected email confirms that they

have not read the email and have deleted it

Eligible data breaches by overseas recipients

If an Australian organisation has disclosed personal information to an
verseas recipient under Australian Privacy Principle 8.1, the data

breach notification obligations are deemed to apply to the personal information held by that overseas recipient.

21 Cyber Readiness and Mandatory Data Breach Notifications

SLIDE 22

Insights: access, disclosure and loss

Unauthorised access: Unauthorised access to personal information
ccurs when personal information that an entity holds is accessed by

someone who is not permitted to have access. This includes unauthorised access by:

employees
contractors
third party hackers
Encryption or destruction of information: If the personal information
n a lost device is remotely deleted before an unauthorised person

could access the information, or if the information is encrypted to a high standard making unauthorised access or disclosure unlikely, then there may be no eligible data breach.

22 Cyber Readiness and Mandatory Data Breach Notifications

SLIDE 23

Insights: avoiding multiple notifications

You and your service provider: Where more than one organisation

could hold personal information (e.g. due to outsourcing) then the amendments intentionally do not specify which entity must undertake the notification, in order to allow entities flexibility in making arrangements appropriate for their business and their customers.

Specify responsibilities in your agreement: Entities should consider

making arrangements regarding compliance with the mandatory data breach notification obligations, including notification to individuals at risk

f serious harm (such as in service agreements or other relevant

contractual arrangements) as a matter of course when entering into such agreements.

Control communications with your customers: Commissioner’s

suggestion is that the entity with the most direct relationship with the individuals at risk of serious harm should notify.

23 Cyber Readiness and Mandatory Data Breach Notifications

SLIDE 24

Service provider breaches

Many data breaches arise from supplier’s systems

– You may be liable for acts and omissions of your service providers – 53% outsource IT functions to some extent, with another 26% planning to do so – 72% do not have adequate tools & processes to manage their vendors (Source: Deloitte)

Conflict of interest in notifying you of data breach
Inability to access systems and perform an investigation
Multiple customers may be affected
Vendor management programmes and contractual
bligations are critical

Cyber Readiness and Mandatory Data Breach Notifications 24

SLIDE 25

Data Breach Response Plan

Surveys by Symantec show substantial reductions in cost of data

breaches if organisations have a Data Breach Response Plan, a strong security posture and appoint a CISO

Plan requires detailed preparation, rehearsal and periodic

updating

Data Breach Response Plan covers procedures to minimise the

effects of data breaches or cyber-attacks including:

initial response to breaches through initial reporting and taking immediate

steps to protect the organisation and its customers

Identification of relevant external advisors: forensic IT, IT system and

privacy auditors, lawyers and crisis PR specialists

investigation of the IT incident including preservation and recording of data
reporting of the IT incident and notification to customers and regulators
assessment of damage, loss and costs
recovery and avoidance of future IT incidents

25 Cyber Readiness and Mandatory Data Breach Notifications

SLIDE 26

Next steps

Ø Ensure that your staff are fully engaged with cyber risk management, and are trained to be aware of cyber risks Ø Prepare a Data Breach Response Plan – test it, review it and train relevant staff Ø Review key contracts with service providers – does each contract contain appropriate security obligations? Are service providers

bliged to notify the organisation of the occurrence of a data breach?

26 Cyber Readiness and Mandatory Data Breach Notifications