In brief
Last year was a big year for cybersecurity. Organisations were forced to grapple with an increasingly complex regulatory environment as governments across the globe continued to navigate how to best protect personal information in the face of increasingly sophisticated cybersecurity threats. We look at the top ten cybersecurity trends that defined 2018 and what they mean for Australian businesses in 2019.
Key trends and takeaways
- Mandatory data breach notification laws swept the globe
Businesses operating globally now need to comply with an increasingly complex web of mandatory data breach notification regimes. Organisations must stay informed about the notification thresholds and timeframes across the various jurisdictions in which they operate, and factor this into their data breach response plans.
- Supply chain attacks continued to make headlines
Companies need to remain vigilant in their dealings with third parties. They should make sure that they know their service providers well, restrict their access to the essentials, monitor and update security measures, and establish and enforce robust contractual protections.
- Securities and financial services regulators focused in on cyber security
Australian regulators are likely to follow their counterparts abroad and increasingly bring enforcement action for data breaches. Organisations should ensure that they maintain robust protective systems, as well as mechanisms to detect, respond and notify in the event of a breach.
- Increased focus by both hackers and regulators on critical infrastructure
Owners and operators of critical infrastructure should continue to develop security strategies and risk management policies to improve their ability to prevent and rapidly respond to threats. They should also stay up to date with their obligations under critical infrastructure legislation.
- Increased global cooperation on cyber security
Globally, there have been increasing efforts from private organisations and government to cooperate in sharing information and addressing cyber security issues. To the extent possible, organisations should take advantage of this increasing cooperation to ensure that they stay
- Organisations continued to be held hostage by ransomware
Organisations can minimise the risk of these attacks by ensuring that files are regularly and comprehensively backed up, employees are trained to recognise these attacks, and that systems and software are up to date and regularly tested for vulnerabilities. Data breach response plans should specifically contemplate ransomware response.
- Data breaches were disproportionately common and severe in the health sector
Healthcare organisations should adopt 'privacy by design' in their business models, identify vulnerabilities due to outdated systems, perform due diligence on third-party vendors, educate staff on best practice security measures, regularly audit data storage and ensure that when disclosing information publicly, it has been appropriately deidentified.
- Mandatory notification laws increased the threat of data breach class actions
While data breach class actions in Australia and the EU remain uncommon, their prevalence is set to increase following the introduction of mandatory data breach notification laws in both jurisdictions. Organisations should be wary of this, given that class actions have the potential to significantly increase the cost of a data breach.
- Data breaches shone a light on inadequate and unethical data handling processes
Even where no privacy laws have been broken, unethical or improper handling of data revealed by a breach can exacerbate costs and damage to a company. The disconnect between consumer expectations and actual practice in handling data leaves companies open to significant reputational damage and regulatory scrutiny.
- Phishing attacks caught bigger fish
Phishing attacks and Business Email Compromise scams, an advanced form of phishing attack, are increasing in prevalence and sophistication. These types of attacks illustrate the need to educate employees and create a culture of cyber awareness, as hackers exploit human error to carry out these attacks.
Mandatory data breach notification laws swept the globe
Takeaway
Businesses operating globally now need to comply with an increasingly complex web of mandatory data breach notification regimes. Organisations must stay informed about the notification thresholds and timeframes across the various jurisdictions in which they operate, and factor this into their data breach response plans.
Recent developments
Since the first mandatory data breach notification laws were introduced to the United States in 2003,1 their presence around the world has steadily increased. In 2018, we saw a suite of new mandatory data breach notification regimes introduced across the globe.
- The European Union introduced the most sweeping data protection law changes in the world when the General Data Protection Regulation (GDPR) came into effect on 25 May 2018. The GDPR enhances obligations to notify regulators and individuals of data breaches.2 In 2018, we saw the first penalty issued under the GDPR3, however, we are yet to see an entity fined for a failure to comply with the data breach notification requirement.
- In Australia, the Notifiable Data Breaches (NDB) Scheme came into effect on 22 February 2018.4 Since the introduction of the NDB Scheme, 550 data breaches have been reported5, up from 114 reported in the 2016-17 financial year.6 We are yet to see enforcement action taken regarding failure to comply with the NDB Scheme.
- As of 1 July 2018, mandatory data breach notification regimes have been implemented in every US state, after Alabama and South Dakota passed legislation coming into effect on 1 June and 1 July 2018 respectively.7 In 2018, amendments were also made to data breach notification legislation in Oregon and Colorado.8
- With predictions that GDPR-inspired legislation will soon become the new normal, several governments, such as those in Singapore9 and Brazil10, have begun updating their data privacy regulations to keep pace with the GDPR.11 Canada's Breach of Security Safeguards Regulations came into effect on 1 November 2018, updating existing mandatory breach notification laws.12 Canada's Privacy Commissioner acknowledged 'the need to align the Regulations more closely with those breach reporting requirements of the GDPR' in an attempt to harmonise organisations' obligations
Footnotes
- The California Security Breach Information Act, enacted in 2002. It came into effect on 1 July 2003.
- For more information on the key components of the GDPR, see Allens articles New EU rules raise the bar for data security; The GDPR promises the biggest shake-up of European privacy laws for 20 years; Shakeup to EU data protection regulations – impact on Australian businesses.
- A fine of €20,000 was issued against the social networking site, Knuddles.de for storing passwords in clear text, violating its 'duty to ensure data security in the processing of personal data in accordance with GDPR Article 32(1)(a): see Ionut Ilascu, First GDPR sanction in Germany fines flirty chat platform EUR 20,000 (23 November 2018).
- For more detailed information on the operation of the NDB Scheme, see our February Pulse edition.
-
Office of the Australian Information Commissioner, Notifiable Data Breaches Quarterly Statistics Report: 1 July – 30 September 2018 (30 October 2018).
-
Office of the Australian Information Commissioner, Notifiable Data Breaches first Quarterly report released (11 April 2018).
- Alexandria K Bradshaw, Amelia M Gerlicher, Todd M Hinnen and Michael Sussmann, New data breach notification laws spring 2018: What you need to know, Perkins Coie LLP (12 June 2018).
-
William W Hellmuth and Davis Wright Temaine, Alabama and South Dakota to join breach notification club, with Oregon and Colorado updating approaches, Davis Wright Tremaine LLP (31 May 2018).
- Singapore's Personal Data Protection Commission has proposed the introduction of a mandatory data breach notification regime. After a period of public consultation demonstrated there was a clear appetite for such laws, the introduction of such a regime appears imminent: see Personal Data Protection Commission Singapore, Response to feedback on the public consultation on approaches to managing personal data in the digital economy (1 February 2018).
- A mandatory data breach notification scheme has been introduced by the General Data Protection Law, signed into law on 12 August 2018. The law will come into effect on 15 February 2020: see Cooley LLP, Worldwide: Brazil's new data protection law: The LGPD (19 September 2018).
- Amy C Pimentel and Mark E Schreiber, European Union: GDPR 6 months after implementation – where are we now? (9 November 2018).
- Julie Hein and Melinda L McLellan, Canadian breach notification requirements take effect November 1, BarkerHostetler (25 April 2018).
Supply chain attacks continued to make headlines
Takeaway
Third-party vendors are often the weak link in the data management chain. Unsurprisingly, supply chain attacks now account for a significant number of all data breaches and are increasingly sophisticated.1 Only 34 per cent of companies keep full records of their third-party suppliers and 22 per cent of companies are unable to determine whether they have in fact suffered a third-party breach in the previous year.2 In order to best protect against risk, you should:
- Know your third-party service providers. Conduct an inventory of all third parties that have access to your systems and/or your data3. Undertake due diligence and perform risk assessments on vendors before engaging them or permitting them to access your systems or data.
- Restrict third party access to the essentials. The level of third-party access to your systems should be limited to the minimum level necessary for their role. Any access by supply chain vendors should be tracked, authenticated and audited to ensure that the extent and nature of use is appropriate.
- Establish robust contractual protections … and enforce them. The assurances that you obtain from suppliers, and the obligations that you impose, should be relevant and proportionate to the risk faced.
- Don't set and forget. Conduct regular and continuous monitoring of security mechanisms and ensure that anti-virus/malware programs are updated regularly.
For more information on how to better protect your supply chain, see How to create a cyber resilient supply chain.
Breaches in 2018
In 2018, we saw many breaches that resulted from supply chain vulnerabilities, including:
- Saks Fifth Avenue and Lord & Taylor: The credit card details of more than five million customers were obtained after hackers took advantage of an unsecure point of sale system in-store.4
- Universal Music Group: Highly sensitive information was leaked after a contractor at Universal Music failed to secure an Apache Airflow server with a password.5
- PageUp: Around 120,000 people were affected after an unauthorised party gained access to the personally identifiable information of users of the PageUp platform. Customers impacted by the breach include the Commonwealth Bank, the ABC, and Australia Post.6
- Typeform: Hackers downloaded a partial back up of Typeform's customer data. Typeform's customers include a wide variety of organisations, such as jobs marketplace Airtasker, as well as the Tasmanian Electoral Commission.7
- APT10: Hackers linked to the Chinese Government accessed the records of some of the world's largest companies by targeting their managed service providers (MSPs). While officials have been reluctant to name these MSPs, news outlets have reported that IBM, Hewlett-Packard and SAP have all been affected.8
Footnotes
- Seizing Control of Software Supply Chain Security, a survey commissioned by CrowdStrike, revealed 66 per cent of those surveyed had come up against a software supply chain attack at some point, however, only 33 per cent identified this as a 'top area of concern' for their organisation.
- Kelly Sheridan, Who's the weakest link in your supply chain? (27 November 2018).
- Kelly Sheridan, Who's the weakest link in your supply chain? (27 November 2018).
- Top third-party breaches of 2018 (so far), Cyber GRX (7 June 2018).
- Caitlin Cimpanu, Contractor exposes credentials for Universal Music Group's IT infrastructure (30 May 2018).
- Shane Swift, Lessons from the PageUp data breach, BDO Australia (16 October 2018).
- Ry Crozier, Airtasker caught up in Typeform data breach (4 July 2018).
- Christopher Bing, Jack Stubbs and Joseph Menn, Exclusive: China hacked HPE, IBM and then attacked clients – sources, Reuters (21 December 2018); David Wroe, Nck McKenzie and Matthew Knott, 'Tens of thousands' of Australian firms could be affected by Chinese hack, The Sydney Morning Herald (21 December 2018).
Securities and financial services regulators focused in on cyber security
Takeaway
Regulators globally are focusing on cyber resilience and information security breach notification as both an enforcement priority and a critical aspect of corporate responsibility. In the US and UK, we are seeing an increasing appetite by these regulators to impose penalties for data breaches. Although regulators in Australia have not yet sought penalties for the same, it is only a matter of time until they follow suit. As a consequence, organisations need to ensure that they have robust protective systems against security risks, as well as mechanisms to detect, respond and notify in the event of a breach.
Australia
ASIC has continued to draw attention to cyber security issues with Commissioner John Price recently acknowledging the need for boards to have a thorough understanding of the cybersecurity landscape as a fundamental aspect of every businesses risk management strategy.1 In September 2018, ASIC released a report that reviewed Australian financial services (AFS) licensees' compliance with the breach reporting requirement in section 912D of the Corporations Act 2001 (Cth). ASIC was critical of AFS licensees, highlighting 'serious' and 'unacceptable' delays in the reporting of significant breaches.2 ASIC Chair James Shipton noted that the regulator is 'actively considering enforcement action' concerning these failures to report breaches on time.3
APRA has also indicated that ensuring entities are able to respond effectively in the event of a cyberattack is a priority moving forward. On 7 November 2018, APRA released the final version of prudential standard CPS 234, the first prudential standard in Australia that specifically addressed information and cyber security. The new standard will take effect on 1 July 2019 and requires APRA-regulated entities to:
- 'clearly define information-security related roles and responsibilities;
- maintain an information security capability commensurate with the size and extent of threats to their information assets;
- implement controls to protect information assets and undertake regular testing and assurance of the effectiveness of controls; and
- promptly notify APRA of material information security incidents.'4
With CPS 234 coming into effect in 2019, and APRA's recent commitment to review its enforcement strategy following criticism from the Royal Commission, companies should prepare for APRA to adopt a tougher stance on enforcement.5 For more information on CPS 234, see our article New APRA Prudential Standard raises bar for information security obligations and incident notification requirements.
Regulators abroad are taking note
After creating a specialised Enforcement Division specifically tasked with investigating cybersecurity incidents in 2017,6 the Chairman of the US Security and Exchange Commission (the SEC),7 Jay Clayton, reiterated the management of cybersecurity risks would continue to be a priority for the SEC. Cybersecurity was identified as one of five priority areas for 2018 by the SEC's Office of Compliance Inspections and Examinations.8 The SEC also advised public companies to implement internal accounting controls that incorporate an approach to cyber threats in its Report of Investigation pursuant to s 21(a) of the Securities Exchange Act (the Report). The Report criticised companies for 'failing to identify red flags and train personnel', serving as a timely reminder that the SEC will not be sympathetic towards companies who have inadequate cybersecurity practices.9
The UK Financial Conduct Authority (the FCA) has continued to focus on cyber resilience as a key aspect of every company's risk management strategy.10 In 2018, Megan Butler (an Executive Director of Supervision at FCA) warned that the FCA 'will take action if they see inappropriate responses and inappropriate protection being taken'.11 Butler spoke of 'serious vulnerabilities' existing around 'identification of key assets, information and detection'.12
Big fines for those who don't disclose
In April 2018, the SEC issued the first enforcement action since it updated its cybersecurity guidance in February 2018.13 After failing to disclose one of world's largest data breaches, Yahoo was forced to pay a US$35 million penalty to the SEC to avoid further action.14 The UK Information Commissioner's Office (the ICO) fined Yahoo UK £250,000 in respect of the same breach for delayed disclosure to investors, and for Yahoo's inadequate approach to safeguarding data. For more on this, see Yahoo continues to pay the price for its 2014 data breach.
The FCA also demonstrated its intolerance for inadequate cybersecurity practices, fining Tesco Bank £16.4 million in October 2018 for a cyberattack suffered in November 2016; a fine that would have been much higher if it weren't for Tesco's cooperation and implementation of a 'comprehensive redress program' following the attack.15 Mark Steward, Executive Director of Enforcement and Market Oversight at the FCA spoke of the attack as one which involved a failure to 'protect customers from foreseeable risks'16. Steward emphasised the importance of adopting a proactive, rather than reactive, approach to cyber security.
Footnotes
- John Price (Commissioner), Speech to the Monash Centre for Commercial and Regulatory Studies Symposium (12 November 2018).
- ASIC, ASIC review finds unacceptable delays by financial institutions in reporting, addressing and remediating significant breaches (25 September 2018).
- ASIC, ASIC review finds unacceptable delays by financial institutions in reporting, addressing and remediating significant breaches (25 September 2018).
-
APRA, APRA finalises prudential standard aimed at combating threat of cyber attacks (7 November 2018).
- Lewis Panther, APRA's evolution towards taking (enforcement) action, Finsia (15 November 2018).
- Coates Lear, Tara M Swaminatha and Elizabeth Weil Shaw, SEC's 2018 exam priorities reflected continued focus on cybersecurity, National Law Review (13 February 2018).
- Chairman Jay Clayton, Statement on cyber security, US Securities and Exchange Commission (20 September 2017).
- Coates Lear, Tara M Swaminatha and Elizabeth Weil Shaw, SEC's 2018 exam priorities reflected continued focus on cybersecurity, National Law Review (13 February 2018).
- Jennifer Achilles and Jim Barbuto, Highlighting the SEC in cybersecurity: Continued regulatory focus on preparedness and response (12 November 2018).
- Financial Conduct Authority, Business Plan 2017/18 (5 June 2017).
- FCA warns firms against inadequate cybersecurity protection (30 November 2018).
- Speech by Megan Butler, Executive Director of Supervision – Investment, Wholesale and Specialists at the FCA, Cyber and technology resilience in UK financial services (27 November 2018).
- Peter Besalev, SEC issues first civil penalty for failure of data breach disclosure, A-Lign (14 May 2018).
- US Securities and Exchange Commission, Altaba, Formerly Known as Yahoo!, Charged With Failing to Disclose Massive Cybersecurity Breach; Agrees To Pay $35 Million (24 April 2018).
- Financial Conduct Authority, FCA fines Tesco Bank £16.4m for failures in 2016 cyber attack (1 October 2018).
- Financial Conduct Authority, FCA fines Tesco Bank £16.4m for failures in 2016 cyber attack (1 October 2018).
Increased focus by both hackers and regulators on critical infrastructure
Takeaway
Critical infrastructure remains an attractive target for state-sponsored, terrorist and financially motivated hackers, and the potential ramifications of an attack are significant.1 In order to best protect their assets, owners and operators of critical infrastructure should:
- develop, and regularly review and update, risk management strategies to mitigate the risk posed by threats, and improve resilience in the aftermath of an attack;
- continually monitor vulnerabilities, and update software to ensure their information and systems remain secure; and
- know their obligations under relevant critical infrastructure legislation. This not only facilitates legal compliance but is a valuable source of information in better assessing relevant risks as they arise.
Initial reporting
Entities regulated by Australia's Security of Critical Infrastructure Act 2018 (Cth) should also be aware that their initial reports were due by 11 January 2019. For more information on the reporting requirements under the Act, see Client Update: New reporting requirements for critical infrastructure. For more information on the critical infrastructure threat landscape, see One click from meltdown – cyber-attacks on critical infrastructure.
Attacks on critical infrastructure
In 2018, we saw a significant number of attacks on critical infrastructure globally. In response, various governments also took steps to regulate critical infrastructure sectors to bolster their security and enhance information sharing capabilities.
- Russian attacks on US power grid. In July, the Department of Homeland Security confirmed Russia's military intelligence had accessed the infrastructure of power plants throughout the US since mid-2017.2 Hackers reportedly gained access through 'spearphishing' emails targeted at 'ill-protected' contractors.3
- China hacks the Australian National University (ANU). In July, it was reported that Chinese hackers gained access to IT systems at ANU.4 ANU maintains that no information was compromised. However, the university was accused of being so 'woefully unprepared' for such an attack that 'it wouldn't know if any data had been stolen'.5
- Ukraine Chlorine Plant attack. In July, the Security Service of Ukraine announced that Russian malware made it into a Ukrainian chlorine station, which provides chlorine for the treatment of water and sewage across the country.6 Ukrainian cyber security specialists were able to quickly identify and address the problem, preventing a significant breakdown of technological process.
Government call outs
Interestingly, we also saw governments increasingly engage in deliberate and coordinated campaigns to call out these attacks.
- The US imposed sanctions on the Russian military intelligence (the GRU) in 2018 for 'attempted interference in the 2016 US election and cyber attacks'7. The US Treasury also stated in March 2018 that the GRU 'knowingly engages in activities that undermine cybersecurity on behalf of the Russian government'.8
- In April 2018, the US, UK and Australia issued a coordinated announcement that accused the Kremlin of a 'malicious internet offensive' in 2017 that targeted 'government institutions, private sector organisations and infrastructure'.9
- In April 2018, the UK National Cybersecurity Centre warned telecoms of the 'potential risks to national security' if they were to deal with Chinese company ZTE.10
- In December 2018, the Western Five Eyes Allies condemned China for cyber intrusions of managed service providers perpetrated by APT10. The rebuke came within hours of the US charging two Chinese nationals for hacking various American government agencies and corporations. In Australia, Foreign Affairs Minister Marise Payne and Home Affairs Minister Peter Dutton on Friday issued a strongly-worded joint statement similarly condemning China.11
Regulatory responses
- Australia: The Security of Critical Infrastructure Act 2018 (Cth) took effect on 11 July 2018. The legislation creates a critical assets register, and gives the Minister of Home Affairs a 'last resort' power to direct an owner or operator of a critical infrastructure asset to mitigate national security risks. Australia has also banned Chinese telecoms Huawei and ZTE from providing 5G technology to Australian mobile phone operators, citing 'national security risks'.12
- US: In September, the Trump White House authorised 'offensive cyber operations against US adversaries'.13 The strategy allows 'military and other agencies to undertake cyber operations intended to protect their systems and the nation's critical networks'14. In late 2017, the National Infrastructure Advisory Council released its final report, Securing cyber assets: Addressing urgent cyber threats to critical infrastructure, which contained 11 recommendations on how to best protect critical infrastructure assets.
- UK: The Joint Committee on National Security Strategy is urging the UK Government to appoint a Cyber Security Minister, in light of growing cyber security threats. The Joint Committee has labelled the current ministerial oversight as 'wholly inadequate' to deal with the emerging threat of attacks on critical infrastructure.15
- Singapore: Singapore recently introduced a new Cybersecurity Act, requiring owners of designated 'critical information infrastructures' to report cybersecurity incidents to the Singapore Cyber Security Agency.16 These laws also mandate that owners of relevant assets conduct regular assessments of any cybersecurity vulnerabilities.
Footnotes
- Cole Latimer, Cyber security threat: Is Australia's power grid safe from hackers? Sydney Morning Herald (10 November 2017).
- For more information on the key components of the GDPR, see Allens articles New EU rules raise the bar for data security; The GDPR promises the biggest shake-up of European privacy laws for 20 years; Shakeup to EU data protection regulations – impact on Australian businesses.
- A fine of €20,000 was issued against the social networking site, Knuddles.de for storing passwords in clear text, violating its 'duty to ensure data security in the processing of personal data in accordance with GDPR Article 32(1)(a): see Ionut Ilascu, First GDPR sanction in Germany fines flirty chat platform EUR 20,000 (23 November 2018).
- For more detailed information on the operation of the NDB Scheme, see our February Pulse edition.
-
Office of the Australian Information Commissioner, Notifiable Data Breaches Quarterly Statistics Report: 1 July – 30 September 2018 (30 October 2018).
-
Office of the Australian Information Commissioner, Notifiable Data Breaches first Quarterly report released (11 April 2018).
- Alexandria K Bradshaw, Amelia M Gerlicher, Todd M Hinnen and Michael Sussmann, New data breach notification laws spring 2018: What you need to know, Perkins Coie LLP (12 June 2018).
-
William W Hellmuth and Davis Wright Temaine, Alabama and South Dakota to join breach notification club, with Oregon and Colorado updating approaches, Davis Wright Tremaine LLP (31 May 2018).
- Singapore's Personal Data Protection Commission has proposed the introduction of a mandatory data breach notification regime. After a period of public consultation demonstrated there was a clear appetite for such laws, the introduction of such a regime appears imminent: see Personal Data Protection Commission Singapore, Response to feedback on the public consultation on approaches to managing personal data in the digital economy (1 February 2018).
- A mandatory data breach notification scheme has been introduced by the General Data Protection Law, signed into law on 12 August 2018. The law will come into effect on 15 February 2020: see Cooley LLP, Worldwide: Brazil's new data protection law: The LGPD (19 September 2018).
- Amy C Pimentel and Mark E Schreiber, European Union: GDPR 6 months after implementation – where are we now? (9 November 2018).
- Julie Hein and Melinda L McLellan, Canadian breach notification requirements take effect November 1, BarkerHostetler (25 April 2018).
Increased global cooperation on cyber security
Takeaway
Globally, there have been increasing efforts from private organisations and government to cooperate on sharing information and tackling cyber security issues. To the extent possible, organisations should take advantage of this increasing cooperation. In Australia, the Australian Cyber Security Centre (the ACSC) facilitates industry collaboration through its receipt of incident reports and dissemination of up to date threat information. Industry specific communities dedicated to the sharing of information also exist at the national and international level. Organisations should seek out and actively participate in these groups to ensure that they stay ahead of current threats.
Global developments
Recent examples of global cooperation include:
- On 17 April 2018, Microsoft, Facebook and 320 other global technology companies announced a joint pledge known as the Cybersecurity Tech Accord, to 'establish new formal and informal partnerships within the industry and with security researchers to share threats and coordinate vulnerability disclosures'.1
- In July 2018, the UK and French Governments announced a deal to 'bolster the development and implementation of fast-moving technologies like Artificial Intelligence' and to collaborate on cyber security more broadly.2
- On 22 October 2018, military officials from the US and UK, alongside tech industry executives, signed an accord 'committing to the countries to cooperate on cybersecurity and artificial intelligence'.3
- In November 2018, officials from Israel and Japan signed an accord to 'cooperate in research and development, information exchange, and training programs in the field of cyber security'.4
- Australia, Britain, Canada, New Zealand and the United States, forming the Five Eyes alliance, are increasing cooperation on the issue of 'foreign interference'. Discussions to date have focused primarily on interference by China and Russia.5
- Locally, following the Council of Australian Governments meeting on 12 December 2018, Australian governments at the federal, state and territory level announced a commitment to 'better coordinate responses to cyber-attacks'.6
Footnotes
- Tech giants unite in stance against government cyber attacks, Thomson Reuters (1 April 2018). See also Cyber Tech Accord, Signing pledge to fight cyberattacks, 34 leading companies promise equal protection for customers worldwide (17 April 2018).
- For more information on the key components of the GDPR, see Allens articles New EU rules raise the bar for data security; The GDPR promises the biggest shake-up of European privacy laws for 20 years; Shakeup to EU data protection regulations – impact on Australian businesses.
- A fine of €20,000 was issued against the social networking site, Knuddles.de for storing passwords in clear text, violating its 'duty to ensure data security in the processing of personal data in accordance with GDPR Article 32(1)(a): see Ionut Ilascu, First GDPR sanction in Germany fines flirty chat platform EUR 20,000 (23 November 2018).
- For more detailed information on the operation of the NDB Scheme, see our February Pulse edition.
-
Office of the Australian Information Commissioner, Notifiable Data Breaches Quarterly Statistics Report: 1 July – 30 September 2018 (30 October 2018).
-
Office of the Australian Information Commissioner, Notifiable Data Breaches first Quarterly report released (11 April 2018).
- Alexandria K Bradshaw, Amelia M Gerlicher, Todd M Hinnen and Michael Sussmann, New data breach notification laws spring 2018: What you need to know, Perkins Coie LLP (12 June 2018).
-
William W Hellmuth and Davis Wright Temaine, Alabama and South Dakota to join breach notification club, with Oregon and Colorado updating approaches, Davis Wright Tremaine LLP (31 May 2018).
- Singapore's Personal Data Protection Commission has proposed the introduction of a mandatory data breach notification regime. After a period of public consultation demonstrated there was a clear appetite for such laws, the introduction of such a regime appears imminent: see Personal Data Protection Commission Singapore, Response to feedback on the public consultation on approaches to managing personal data in the digital economy (1 February 2018).
- A mandatory data breach notification scheme has been introduced by the General Data Protection Law, signed into law on 12 August 2018. The law will come into effect on 15 February 2020: see Cooley LLP, Worldwide: Brazil's new data protection law: The LGPD (19 September 2018).
- Amy C Pimentel and Mark E Schreiber, European Union: GDPR 6 months after implementation – where are we now? (9 November 2018).
- Julie Hein and Melinda L McLellan, Canadian breach notification requirements take effect November 1, BarkerHostetler (25 April 2018).
Organisations continued to be held hostage by ransomware
Takeaway
Organisations should:
- ensure that ransomware attacks are contemplated in their data breach response plans;
- train employees to recognise these attacks;
- keep adequate backups of all files, so that any impacted files can be restored following an attack; and
- ensure operating systems and software are up to date and tested for vulnerabilities.
For more on ransomware, see Spotlight: (Almost) Everything you need to know about ransomware and Should you pay a cyber criminal's ransom?
Ransomware cost victims dearly
After dominating headlines in 2017 with the likes of NotPetya and WannaCry, ransomware attacks continued to wreak havoc in 2018, remaining at the top of Europol's malware threat list.1
SamSam ransomware attacks targeted a number of organisations (predominantly in the US), such as the City of Atlanta.2 Atlanta spent $2.6 million, in addition to the $52,000 worth of Bitcoin demanded, to recover from the attack.3
Expert Chris Boyd4 advised victims of a ransomware attack not to pay the ransom because it 'encourages scammers to continue with their profitable business model'5. In certain circumstances, paying ransom may even amount to a contravention of US sanctions.6 This revelation comes after the cryptocurrency addresses of two individuals involved in converting the ransomware payment into fiat currency were publicly identified and placed on the Specially Designated Nationals and Blocked Persons List.7
In the last weekend of 2018, a ransomware attack disrupted printing operations at several major US newspapers, after malware affected systems used by Tribune Publishing.8
Footnotes
- James Walker, Ransomware remains biggest malware threat in 2018, says Europol, The Daily Swig (18 September 2018).
- For more information on the key components of the GDPR, see Allens articles New EU rules raise the bar for data security; The GDPR promises the biggest shake-up of European privacy laws for 20 years; Shakeup to EU data protection regulations – impact on Australian businesses.
- A fine of €20,000 was issued against the social networking site, Knuddles.de for storing passwords in clear text, violating its 'duty to ensure data security in the processing of personal data in accordance with GDPR Article 32(1)(a): see Ionut Ilascu, First GDPR sanction in Germany fines flirty chat platform EUR 20,000 (23 November 2018).
- For more detailed information on the operation of the NDB Scheme, see our February Pulse edition.
-
Office of the Australian Information Commissioner, Notifiable Data Breaches Quarterly Statistics Report: 1 July – 30 September 2018 (30 October 2018).
-
Office of the Australian Information Commissioner, Notifiable Data Breaches first Quarterly report released (11 April 2018).
- Alexandria K Bradshaw, Amelia M Gerlicher, Todd M Hinnen and Michael Sussmann, New data breach notification laws spring 2018: What you need to know, Perkins Coie LLP (12 June 2018).
-
William W Hellmuth and Davis Wright Temaine, Alabama and South Dakota to join breach notification club, with Oregon and Colorado updating approaches, Davis Wright Tremaine LLP (31 May 2018).
- Singapore's Personal Data Protection Commission has proposed the introduction of a mandatory data breach notification regime. After a period of public consultation demonstrated there was a clear appetite for such laws, the introduction of such a regime appears imminent: see Personal Data Protection Commission Singapore, Response to feedback on the public consultation on approaches to managing personal data in the digital economy (1 February 2018).
- A mandatory data breach notification scheme has been introduced by the General Data Protection Law, signed into law on 12 August 2018. The law will come into effect on 15 February 2020: see Cooley LLP, Worldwide: Brazil's new data protection law: The LGPD (19 September 2018).
- Amy C Pimentel and Mark E Schreiber, European Union: GDPR 6 months after implementation – where are we now? (9 November 2018).
- Julie Hein and Melinda L McLellan, Canadian breach notification requirements take effect November 1, BarkerHostetler (25 April 2018).
Data breaches were disproportionately common and severe in the health sector
Takeaway
Organisations in this sector should:
- adopt a 'privacy by design' approach to business operations;
- understand the data flows involved in their practice and the regulatory framework in which they operate;
- identify and address any vulnerabilities created by outdated systems and perform appropriate due diligence on third-party vendors;
- educate staff on cybersecurity risks and data/privacy best practice (including limiting access to sensitive information to staff who require it);
- ensure that where they disclose any information publicly, such information has been appropriately de-identified and aggregated and is not capable of re-identification (including where it is combined with other public datasets); and
- regularly audit data storage processes and compliance with data storage policies and procedures.
For more on this topic, see Data breaches in the healthcare sector: the reality, the costs and how to prevent them.
High numbers of breaches
The healthcare sector has become a popular target in recent times. The substantial amount of personally identifiable information contained within health records, makes them 'up to 10 times more valuable'.1
Since the introduction of the NDB Scheme in Australia, the private health sector has continued to report the highest number of data breaches. Since the scheme came into effect, the sector has reported a total of 109 breaches and was the only one with a higher rate of reported breaches attributable to human internal factors, such as employee carelessness or misbehaviour, than to external threats.2 The figures in the OAIC's Quarterly Reports exclude any incidents involving the MyHealth Record system. The Australian Digital Health Agency annual report identifies 42 data breaches in relation to the MyHealth Record system3 in 2017-18, though none were malicious attacks.
Data breaches in the health sector are not unique to Australia. Globally, health information is a 'lucrative target' for hackers4, and we have seen a number of ransomware attacks and class actions that resulted in substantial costs to health service providers.
- A number of US hospitals suffered ransomware attacks in 2018. In January, an Indiana hospital was forced to pay US$55,000 in bitcoin in exchange for the decryption key after a ransomware attack.5 In late November, two hospitals in Ohio suffered similar attacks that prevented them from accepting patients from emergency service transports.6
- In July 2018, CarePartners in Ontario, Canada, announced thousands of patient records were being held for ransom.7
The costs
Apart from the legal risks involved in these data breaches, there are significant financial and reputational ramifications for affected businesses. These include impacts on the level of trust in the underlying patient relationship, the continuing health of patients, the organisation's reputation and regulatory fines or litigation costs.
In addition to the regulatory fines imposed by the US Department of Health and Human Services' Office for Civil Rights, there have been a large number of class actions brought in the US in relation to health sector data breaches. In October 2018, the Office for Civil Rights announced a $16 million settlement with health insurer Anthem Inc. for a 2015 data breach, the largest reported health data breach in US history.8 This is the largest settlement paid to the Office for Civil Rights and follows a 2017 class action which recovered $115 million.9 To help providers confront this costly threat, the Department of Health and Human Services recently released a voluntary guide detailing security measures healthcare organisations should adopt.
In 2018, health firms globally lost 6.7 per cent of their customers following a data breach – the highest of any industry.10 A study published in the American Journal of Managed Care has also found that data breaches at US hospitals are associated with a 64 per cent increase in annual advertising expenditures. On average, hospitals that suffered a data breach spent US$1.15 million more on advertising than those that did not in the two years following the breach.11
Footnotes
- Beverly Head, Australia's health sector reports most data breaches again (31 July 2018).
- For more information on the key components of the GDPR, see Allens articles New EU rules raise the bar for data security; The GDPR promises the biggest shake-up of European privacy laws for 20 years; Shakeup to EU data protection regulations – impact on Australian businesses.
- A fine of €20,000 was issued against the social networking site, Knuddles.de for storing passwords in clear text, violating its 'duty to ensure data security in the processing of personal data in accordance with GDPR Article 32(1)(a): see Ionut Ilascu, First GDPR sanction in Germany fines flirty chat platform EUR 20,000 (23 November 2018).
- For more detailed information on the operation of the NDB Scheme, see our February Pulse edition.
-
Office of the Australian Information Commissioner, Notifiable Data Breaches Quarterly Statistics Report: 1 July – 30 September 2018 (30 October 2018).
-
Office of the Australian Information Commissioner, Notifiable Data Breaches first Quarterly report released (11 April 2018).
- Alexandria K Bradshaw, Amelia M Gerlicher, Todd M Hinnen and Michael Sussmann, New data breach notification laws spring 2018: What you need to know, Perkins Coie LLP (12 June 2018).
-
William W Hellmuth and Davis Wright Temaine, Alabama and South Dakota to join breach notification club, with Oregon and Colorado updating approaches, Davis Wright Tremaine LLP (31 May 2018).
- Singapore's Personal Data Protection Commission has proposed the introduction of a mandatory data breach notification regime. After a period of public consultation demonstrated there was a clear appetite for such laws, the introduction of such a regime appears imminent: see Personal Data Protection Commission Singapore, Response to feedback on the public consultation on approaches to managing personal data in the digital economy (1 February 2018).
- A mandatory data breach notification scheme has been introduced by the General Data Protection Law, signed into law on 12 August 2018. The law will come into effect on 15 February 2020: see Cooley LLP, Worldwide: Brazil's new data protection law: The LGPD (19 September 2018).
- Amy C Pimentel and Mark E Schreiber, European Union: GDPR 6 months after implementation – where are we now? (9 November 2018).
- Julie Hein and Melinda L McLellan, Canadian breach notification requirements take effect November 1, BarkerHostetler (25 April 2018).
Mandatory notification laws increased the threat of data breach class actions
Takeaway
While data breach class actions in Australia and the EU remain uncommon, their prevalence is set to increase following the introduction of mandatory data breach notification laws in both jurisdictions. Organisations should be wary of this, as it has the potential to significantly increase the cost of a data breach.
For a more detailed look at the particular obstacles plaintiffs face when commencing a class action in Australia, see Where are all the data breach class actions in Australia? For a brief overview of a number of class actions brought in Australia and overseas, see A global snapshot of data breach class actions.
Class actions on the rise
Class actions arising out of data breaches have been common in the US for some time, however, in Australia they largely remain unchartered territory. Since the introduction of the NDB Scheme, we have seen a few class actions commenced or threatened in Australia. It remains to be seen how successful these actions will be, in the absence of an actionable right to privacy in Australia.
- Centennial Lawyers filed a class action in relation to a data breach of NSW Ambulance's IT systems, in which the personal information of employees and contractors was leaked.1
- Centennial Lawyers is also taking expressions of interest from persons who may have been affected by the PageUp data breach in May this year.2
- IMF Bentham lodged a complaint against Facebook with the OAIC for alleged breaches of the Privacy Act 1988 (Cth) and APPs. The complaint is based on Cambridge Analytica's unauthorised access, retrieval and use of millions of Facebook users' data.3
In the Digital Platforms Inquiry Preliminary Report released on 10 December 2018, the ACCC supported the introduction of an individual right for consumers to bring claims for breaches of the Privacy Act concerning their information. The ACCC recommended that individuals should be able to recover for financial and non-financial harm suffered as a consequence of a breach of the Privacy Act and the APPs. Watch this space.
In the EU, we have seen the number of data breach class actions steadily increasing following the introduction of the GDPR, which allows persons to recover for non-material damage suffered as a result of a data breach.4 These damages compensate an individual for 'inconvenience, distress and annoyance' attributable to data breaches.5
- In September, SPG Law commenced a £500 million class action proceeding against British Airways after it was revealed in September that the personal data of 380,000 customers was compromised.6
- In October, Morrisons was held vicariously liable for the actions of a rogue employee who published the personal information of almost 100,000 employees. While Morrisons has stated its intention to appeal the decision, this serves as a reminder that 'organisations cannot be complacent about data protections'.7
Companies' cyber security practices are coming under increased scrutiny from investors and consumers, giving them another reason to put cyber security at the top of their priority lists.
Footnotes
- Centennial Lawyers, NSW Ambulance Class Action.
- For more information on the key components of the GDPR, see Allens articles New EU rules raise the bar for data security; The GDPR promises the biggest shake-up of European privacy laws for 20 years; Shakeup to EU data protection regulations – impact on Australian businesses.
- A fine of €20,000 was issued against the social networking site, Knuddles.de for storing passwords in clear text, violating its 'duty to ensure data security in the processing of personal data in accordance with GDPR Article 32(1)(a): see Ionut Ilascu, First GDPR sanction in Germany fines flirty chat platform EUR 20,000 (23 November 2018).
- For more detailed information on the operation of the NDB Scheme, see our February Pulse edition.
-
Office of the Australian Information Commissioner, Notifiable Data Breaches Quarterly Statistics Report: 1 July – 30 September 2018 (30 October 2018).
-
Office of the Australian Information Commissioner, Notifiable Data Breaches first Quarterly report released (11 April 2018).
- Alexandria K Bradshaw, Amelia M Gerlicher, Todd M Hinnen and Michael Sussmann, New data breach notification laws spring 2018: What you need to know, Perkins Coie LLP (12 June 2018).
-
William W Hellmuth and Davis Wright Temaine, Alabama and South Dakota to join breach notification club, with Oregon and Colorado updating approaches, Davis Wright Tremaine LLP (31 May 2018).
- Singapore's Personal Data Protection Commission has proposed the introduction of a mandatory data breach notification regime. After a period of public consultation demonstrated there was a clear appetite for such laws, the introduction of such a regime appears imminent: see Personal Data Protection Commission Singapore, Response to feedback on the public consultation on approaches to managing personal data in the digital economy (1 February 2018).
- A mandatory data breach notification scheme has been introduced by the General Data Protection Law, signed into law on 12 August 2018. The law will come into effect on 15 February 2020: see Cooley LLP, Worldwide: Brazil's new data protection law: The LGPD (19 September 2018).
- Amy C Pimentel and Mark E Schreiber, European Union: GDPR 6 months after implementation – where are we now? (9 November 2018).
- Julie Hein and Melinda L McLellan, Canadian breach notification requirements take effect November 1, BarkerHostetler (25 April 2018).
Data breaches shone a light on inadequate and unethical data handling practices
Takeaway
Even where no privacy laws have been broken, unethical or improper handling of data revealed by a breach can exacerbate costs and damage to a company. The disconnect between consumer expectations and actual practice in handling data leaves companies open to significant reputational damage.
If 2018 has taught us anything, it's that mere compliance with the regulatory regimes is not sufficient to shield an organisation from scrutiny and possible liability. Organisations must invest in an appropriate data governance framework that includes guiding principles for ethical data use, as well as a function for auditing, monitoring and enforcing compliance with the framework. For more on developing a data governance framework, see our special report Benefits over backlash: Five steps to a fit-for-purpose data strategy.
Significant reputational risks
The following two cases reveal the potential for inadequate data handling to inflict significant reputational damage, even where there is doubt over whether privacy law was in fact breached.
- HealthEngine: In June 2018, the ABC revealed that HealthEngine had been sharing patient information with law firm Slater and Gordon, on the basis it obtained express consent.1 Irrespective of whether HealthEngine was in breach of privacy law, these practices were out of step with consumer expectations and perceived as inadequate and unethical. The scandal attracted significant negative media attention. Just nine days later the company announced that it had changed its business model to ameliorate concerns about its handling of user data.2
- Facebook-Cambridge Analytica: In early 2018, it was revealed that Cambridge Analytica had been harvesting personal data en masse from Facebook and using it for political purposes. Christopher Wylie, the whistle-blower at Cambridge Analytica, claims Facebook knew that data was being improperly pulled as early as 2015 and did nothing.3 While Facebook was fined £500,000 in the UK by the ICO,4 the company also suffered significant reputational damage with user growth slowing and its market capitalisation dropping by US$119 billion.5 Facebook is also facing possible class action law suits in Australia,6 the UK and the US.7
Footnotes
- Pat McGrath, Clare Blumer and Jeremy Story Carter, Medical appointment booking app HealthEngine sharing clients' personal information with lawyers, ABC (26 June 2018).
- For more information on the key components of the GDPR, see Allens articles New EU rules raise the bar for data security; The GDPR promises the biggest shake-up of European privacy laws for 20 years; Shakeup to EU data protection regulations – impact on Australian businesses.
- A fine of €20,000 was issued against the social networking site, Knuddles.de for storing passwords in clear text, violating its 'duty to ensure data security in the processing of personal data in accordance with GDPR Article 32(1)(a): see Ionut Ilascu, First GDPR sanction in Germany fines flirty chat platform EUR 20,000 (23 November 2018).
- For more detailed information on the operation of the NDB Scheme, see our February Pulse edition.
-
Office of the Australian Information Commissioner, Notifiable Data Breaches Quarterly Statistics Report: 1 July – 30 September 2018 (30 October 2018).
-
Office of the Australian Information Commissioner, Notifiable Data Breaches first Quarterly report released (11 April 2018).
- Alexandria K Bradshaw, Amelia M Gerlicher, Todd M Hinnen and Michael Sussmann, New data breach notification laws spring 2018: What you need to know, Perkins Coie LLP (12 June 2018).
-
William W Hellmuth and Davis Wright Temaine, Alabama and South Dakota to join breach notification club, with Oregon and Colorado updating approaches, Davis Wright Tremaine LLP (31 May 2018).
- Singapore's Personal Data Protection Commission has proposed the introduction of a mandatory data breach notification regime. After a period of public consultation demonstrated there was a clear appetite for such laws, the introduction of such a regime appears imminent: see Personal Data Protection Commission Singapore, Response to feedback on the public consultation on approaches to managing personal data in the digital economy (1 February 2018).
- A mandatory data breach notification scheme has been introduced by the General Data Protection Law, signed into law on 12 August 2018. The law will come into effect on 15 February 2020: see Cooley LLP, Worldwide: Brazil's new data protection law: The LGPD (19 September 2018).
- Amy C Pimentel and Mark E Schreiber, European Union: GDPR 6 months after implementation – where are we now? (9 November 2018).
- Julie Hein and Melinda L McLellan, Canadian breach notification requirements take effect November 1, BarkerHostetler (25 April 2018).
Phishing scams caught bigger fish
Takeaway
Phishing attacks and Business Email Compromise (BEC) scams, an advanced form of phishing attack, are increasing in prevalence and sophistication. These types of attacks illustrate the need to educate employees and create a culture of cyber awareness, as hackers exploit human error to carry out these attacks. For more on creating a culture of cyber awareness, see The walking dread – fostering cyber awareness in the age of killer viruses.
Phishing
In Australia, the number of phishing attacks rose in the third quarter of 2018, where the OAIC reported phishing attacks comprised 50 per cent of malicious or criminal attacks.1 This was up from 29 per cent in the second quarter.2
Examples of recent phishing attacks include:
- Airbnb: Early in 2018, hackers impersonating Airbnb warned hosts they would be unable to accept any further bookings until a new privacy policy was accepted and subsequently asked them to enter their personal information.3 This scam took advantage of the fact that many companies were contacting customers about updated privacy policies before the introduction of the GDPR.
- Tax scams: Tax time is popular for phishing attacks, and 2018 was no different. In Australia, hackers impersonating the ATO have been calling individuals alleging fraud against the ATO. Queensland Police Financial and Cyber Crimes Group Detective Inspector Melissa Anderson has advised that government officers ordinarily do not make such calls.4 The International Revenue Service has also warned of tax scams in a number of US states.5
BEC
BEC scams involve hacking or social engineering to deceive employees into transferring sensitive information or money to the scammer. Less sophisticated scammers employ 'domain squatting', a process whereby the scammer purchasers a domain that looks similar to the domain used by the target company (eg CEO@company.com.au vs CEO@c0mpany.com.au).6 More sophisticated attackers infect the computers of the target company to take over the legitimate emails of high level executives, making false emails all the more difficult to spot.
Frequently, lower-level employees are the target of these attacks. While BEC scams can be difficult to identify, companies can reduce the likelihood of falling victim to such an attack by implementing training programs for employees and fostering a culture of cyber awareness.
Between October 2013 and May 2018, BEC scams cost businesses around the world more than US$12.5 billion.7 In 2018, a group referred to as 'London Blue' generated a list of 50,000 executives to use as targets for their schemes.8 The scam was discovered after the CFO of a company was the recipient of false email purporting to be from the CEO.9
BEC scams are predicted to be an increasingly popular method of attack in 2019, especially against targets that fail to adequately educate employees and do not use multi-factor authorisation.10
Footnotes
-
OAIC, Notifiable Data Breaches Quarterly Statistics Report: 1 July – 30 September 2018.
- For more information on the key components of the GDPR, see Allens articles New EU rules raise the bar for data security; The GDPR promises the biggest shake-up of European privacy laws for 20 years; Shakeup to EU data protection regulations – impact on Australian businesses.
- A fine of €20,000 was issued against the social networking site, Knuddles.de for storing passwords in clear text, violating its 'duty to ensure data security in the processing of personal data in accordance with GDPR Article 32(1)(a): see Ionut Ilascu, First GDPR sanction in Germany fines flirty chat platform EUR 20,000 (23 November 2018).
- For more detailed information on the operation of the NDB Scheme, see our February Pulse edition.
-
Office of the Australian Information Commissioner, Notifiable Data Breaches Quarterly Statistics Report: 1 July – 30 September 2018 (30 October 2018).
-
Office of the Australian Information Commissioner, Notifiable Data Breaches first Quarterly report released (11 April 2018).
- Alexandria K Bradshaw, Amelia M Gerlicher, Todd M Hinnen and Michael Sussmann, New data breach notification laws spring 2018: What you need to know, Perkins Coie LLP (12 June 2018).
-
William W Hellmuth and Davis Wright Temaine, Alabama and South Dakota to join breach notification club, with Oregon and Colorado updating approaches, Davis Wright Tremaine LLP (31 May 2018).
- Singapore's Personal Data Protection Commission has proposed the introduction of a mandatory data breach notification regime. After a period of public consultation demonstrated there was a clear appetite for such laws, the introduction of such a regime appears imminent: see Personal Data Protection Commission Singapore, Response to feedback on the public consultation on approaches to managing personal data in the digital economy (1 February 2018).
- A mandatory data breach notification scheme has been introduced by the General Data Protection Law, signed into law on 12 August 2018. The law will come into effect on 15 February 2020: see Cooley LLP, Worldwide: Brazil's new data protection law: The LGPD (19 September 2018).
- Amy C Pimentel and Mark E Schreiber, European Union: GDPR 6 months after implementation – where are we now? (9 November 2018).
- Julie Hein and Melinda L McLellan, Canadian breach notification requirements take effect November 1, BarkerHostetler (25 April 2018).