SEN­SI­TIVE DATA BREACHES

NZ Business - - FROM THE EDITOR - John Martin is IBM New Zealand’s se­cu­rity prac­tice leader.

Sen­si­tiv­ity around our per­sonal data is grow­ing as com­pa­nies which have had data breaches are in­creas­ingly be­ing held to ac­count. And now New Zealand busi­nesses could be im­pacted by Aus­tralian leg­is­la­tion which makes no­ti­fi­ca­tion manda­tory for cer­tain data breaches. John Martin ex­plains.

Sen­si­tiv­ity around our per­sonal data is grow­ing as com­pa­nies which have had data breaches are in­creas­ingly be­ing held to ac­count. These breaches hap­pen daily around the world, whether it is credit card in­for­ma­tion; names; email ad­dresses; phone num­bers; dates of birth or pass­words. In­creas­ingly cus­tomers and clients want to know whether the data your busi­ness holds on them has been breached. And now New Zealand busi­nesses could be im­pacted by Aus­tralian leg­is­la­tion which makes no­ti­fi­ca­tion manda­tory for cer­tain data breaches. John Martin ex­plains. CAN YOU EX­PLAIN WHAT THE CHANGES TO THE AUS­TRALIAN PRI­VACY ACT FOR NO­TI­FI­ABLE DATA BREACH LEG­IS­LA­TION ARE AND WHAT IT MEANS?

The Aus­tralian No­ti­fi­able Data Breach (NDB) scheme is an amend­ment to the Aus­tralian Pri­vacy Act 1988 (Cth) that es­tab­lishes re­quire­ments for or­gan­i­sa­tions in re­spond­ing to cer­tain data breaches. It came into ef­fect Fe­bru­ary 22. It stip­u­lates that or­gan­i­sa­tions have no­ti­fi­ca­tion obli­ga­tions to the Of­fice of the Aus­tralian In­for­ma­tion Com­mis­sion (OAIC) and in­di­vid­u­als im­pacted by cer­tain data breaches.

A data breach which re­quires no­ti­fi­ca­tion oc­curs when the fol­low­ing cri­te­ria are met: • There is unau­tho­rised ac­cess to, or dis­clo­sure of, per­sonal in­for­ma­tion held by an en­tity (or in­for­ma­tion is lost in cir­cum­stances where unau­tho­rised ac­cess or dis­clo­sure is likely to oc­cur). • This is likely to re­sult in se­ri­ous harm to any of the in­di­vid­u­als to whom the in­for­ma­tion re­lates. • The en­tity has been un­able to pre­vent the likely risk of se­ri­ous harm with re­me­dial ac­tion.

‘Se­ri­ous harm' is not lim­ited to eco­nomic or fi­nan­cial harm but could also in­clude emo­tional, psy­cho­log­i­cal, phys­i­cal or rep­u­ta­tional harm. In as­sess­ing whether a breach con­sti­tutes an el­i­gi­ble data breach, it is nec­es­sary to con­sider the cir­cum­stances, in­clud­ing the scope of dis­closed data, the type of data dis­closed, whether it's pro­tected (e.g. through en­cryp­tion), who might have re­ceived the in­for­ma­tion and the cur­rency of the in­for­ma­tion.

In­tro­duc­tion of the scheme po­ten­tially im­pacts hun­dreds of thou­sands of or­gan­i­sa­tions re­quired to com­ply with the Pri­vacy Act.

The law change is a cat­a­lyst for busi­nesses to en­sure they have a plan to re­spond ef­fec­tively once a breach is iden­ti­fied – in or­der to both com­ply with the changes, as well as to con­tain the rep­u­ta­tional im­pact and cost of a breach.

WHY HAVE THE AUS­TRALIANS GONE DOWN THIS PATH?

The re­al­ity is that in to­day’s global and dig­i­tal busi­ness land­scape, data breaches are go­ing to hap­pen, it is not a ques­tion of if, it is in­evitable. The vol­ume and so­phis­ti­ca­tion of cy­ber­crime is ev­er­in­creas­ing; se­cu­rity teams are sift­ing through 200,000 se­cu­rity events per day on av­er­age [IBM Re­search]. It is es­ti­mated the cy­ber­crime will cost the global econ­omy more than US$2 tril­lion by 2019 and $8 tril­lion by 2022, and rep­re­sents what could be the great­est threat to every com­pany in the world [Ju­niper Re­search].

Ac­cord­ing to the Of­fice of the Aus­tralian In­for­ma­tion Com­mis­sion (OAIC), the NDB scheme strength­ens the pro­tec­tions af­forded to ev­ery­one’s per­sonal in­for­ma­tion and im­proves trans­parency in the way agen­cies and or­gan­i­sa­tions re­spond to se­ri­ous data breaches.

This sup­ports greater com­mu­nity con­fi­dence and trust that per­sonal in­for­ma­tion is be­ing pro­tected and re­spected and en­cour­ages a higher stan­dard of per­sonal in­for­ma­tion se­cu­rity across Aus­tralian in­dus­tries.

IS NEW ZEALAND LIKELY TO FOL­LOW SUIT?

Ac­cord­ing to the Pri­vacy Com­mis­sioner, the New Zealand Gov­ern­ment has in­di­cated that a manda­tory re­quire­ment to re­port data breaches is go­ing to be part of the changes be­ing in­tro­duced to New Zealand’s Pri­vacy Act. The Law Com­mis­sion, in its 2011 pri­vacy law re­view, rec­om­mended manda­tory data breach re­port­ing, and the Gov­ern­ment agreed with that rec­om­men­da­tion, among oth­ers. [It was tabled in Par­lia­ment in late March – Ed]

Many coun­tries around the world are mak­ing sim­i­lar changes.

There will also be an­other 60 Tb/ sec­ond in­ter­na­tional in­ter­net link via the Hawaiki sub­ma­rine ca­ble sys­tem to be in­tro­duced in June 2018, mean­ing there is a high prob­a­bil­ity that we will likely experience in­creased ex­po­sure to cy­ber­crime in the near fu­ture.

HOW WILL IT AF­FECT KIWI OR­GAN­I­SA­TIONS TRADING WITH AUS­TRALIAN FIRMS?

New Zealand or­gan­i­sa­tions which carry on busi­ness in Aus­tralia and col­lect or hold per­sonal in­for­ma­tion in Aus­tralia, could all be af­fected by the NDB scheme and would need to com­ply with the Pri­vacy Act. This in­cludes New Zealand busi­nesses which have no phys­i­cal pres­ence in Aus­tralia but have an on­line pres­ence.

WHAT IS THE MOST LIKELY OUT­COME FROM THIS LEG­IS­LA­TION?

The in­tro­duc­tion of leg­is­la­tion in Aus­tralia will in­crease aware­ness of the need for

proac­tive plan­ning for se­cu­rity breaches and in­cen­tivise many or­gan­i­sa­tions to put a re­sponse plan in place.

Busi­nesses will also need to be clear who is han­dling com­mu­ni­ca­tions with stake­hold­ers (such as the OAIC and af­fected in­di­vid­u­als) well in ad­vance of a breach, as fail­ure to act quickly will fall foul of the Pri­vacy Com­mis­sioner. It will also make con­sumers more aware of the obli­ga­tions of busi­nesses han­dling their data.

Ev­i­dence shows that many Aus­tralian or­gan­i­sa­tions will strug­gle to meet ex­pec­ta­tions and obli­ga­tions of the new law. Ac­cord­ing to the 2017 IBM Ponemon re­port, or­gan­i­sa­tions, on av­er­age, took more than five months (or 175 days) to de­tect that an in­ci­dent had oc­curred. Fail­ure to com­ply with the or­gan­i­sa­tion’s obli­ga­tions un­der the Pri­vacy Act could lead to fi­nan­cial penal­ties – up to A$360,000 for in­di­vid­u­als and A$1.8 mil­lion for body cor­po­rates.

HOW CAN NEW ZEALAND OR­GAN­I­SA­TIONS DE­FEND AGAINST BREACHES?

Or­gan­i­sa­tions should look for the root cause of the breach as part of the in­ci­dent re­sponse. This in­cludes iden­ti­fy­ing the ini­tial at­tack and ad­dress­ing the root cause by re­me­di­at­ing the is­sue per­ma­nently to pre­vent re­oc­cur­rence.

Draw­ing on the ex­per­tise of se­cu­rity teams is of­ten needed to ef­fec­tively man­age the breach life­cy­cle in ac­cor­dance with any or­gan­i­sa­tional or legislative com­pli­ance man­dates. As breaches are of­ten global in na­ture, ac­cess to global ex­perts who can re­spond to in­ci­dents in a re­peat­able man­ner, and pro­vide ac­cess to rich in­tel­li­gence in­for­ma­tion, can sig­nif­i­cantly im­prove the re­sponse to a breach, as well as re­duce the time to re­spond – sav­ing costs and re­sources to the or­gan­i­sa­tion.

At IBM we’re also ap­ply­ing our ar­ti­fi­cial in­tel­li­gence plat­form Wat­son to help aug­ment hu­man skills and ex­per­tise. AI tech­nol­ogy can sup­port and aug­ment a lim­ited pool of avail­able se­cu­rity an­a­lysts to man­age the sheer scale of the global threat land­scape, when it comes to cy­ber­se­cu­rity and mon­i­tor­ing and alert­ing of pos­si­ble breaches.

The mes­sage for New Zealand or­gan­i­sa­tions is: don’t wait for our lo­cal Gov­ern­ment to im­ple­ment changes to New Zealand’s pri­vacy law. You should be pre­par­ing your in­ci­dent re­sponse plans now – whether you have a com­mer­cial re­la­tion­ship with busi­nesses and con­sumers in Aus­tralia or not. It just makes good busi­ness sense.

I READ THAT THE GREAT­EST SE­CU­RITY THREAT TO AN OR­GAN­I­SA­TION IS ITS EM­PLOY­EES?

Hu­man er­ror ac­counts for 28 per­cent of data breach in­ci­dents, usu­ally in­volv­ing a neg­li­gent em­ployee or con­trac­tor. [Ponemon 2017 study].

Hir­ing ef­fec­tively and skilling up your work­force to help avoid se­cu­rity in­ci­dents is a crit­i­cal part of your de­fences. Em­ploy­ees need to bet­ter un­der­stand the value of data, and how to avoid putting it at risk. This in­cludes best prac­tises like en­crypt­ing sen­si­tive data or im­ple­ment­ing ap­pro­pri­ate tech­nol­ogy con­trols around sen­si­tive data.

Well trained and ob­ser­vant em­ploy­ees are also a huge as­set in pre­vent­ing and spot­ting breaches ear­lier, and there­fore re­duc­ing the cost of a data breach.

WHAT ARE YOU AD­VIS­ING BUSI­NESSES TO DO?

As a pri­or­ity, all or­gan­i­sa­tions af­fected by the NDB scheme need to put a re­li­able re­sponse plan in place. This will en­sure an ap­pro­pri­ate, re­li­able and ef­fec­tive re­sponse plan is fol­lowed as soon as a breach is dis­cov­ered or sus­pected.

As events usu­ally move at speed, hav­ing a ro­bust and well-tested re­sponse plan, helps en­sure all crit­i­cal pro­cesses and ac­tions are fol­lowed, and that the or­gan­i­sa­tion can be con­fi­dent noth­ing is go­ing to be missed. In the re­cently re­leased Ponemon In­sti­tute Cy­ber Re­silient Or­gan­i­sa­tion Study, 77 per­cent of nearly 3000 sur­vey re­spon­dents around the globe said they do not have an in­ci­dent re­sponse plan in place.

The brand value of a well-ex­e­cuted re­sponse plan should also not be un­der­es­ti­mated. Or­gan­i­sa­tions that have suf­fered any well-pub­li­cised breach will also be judged pub­licly on their abil­ity to re­spond and re­cover. When a breach oc­curs, it is cru­cial it is han­dled with an un­der­stand­ing of the po­ten­tial im­pact it will have on the or­gan­i­sa­tion’s trust with its stake­hold­ers, and with af­fected cus­tomers and part­ners.

BUT IS ANY­THING RE­ALLY GO­ING TO STOP A BREACH?

There are some key ac­tions that most or­gan­i­sa­tions can take im­me­di­ately to re­duce the risk and im­pact of a data breach, in­clud­ing: • Ex­ten­sive use of en­cryp­tion. • Em­ployee train­ing. • Ap­point­ing a chief in­for­ma­tion se­cu­rity

of­fi­cer. • Hav­ing an in­ci­dent re­sponse team in place, whether in­ter­nally or with a cred­i­ble part­ner.

In­creas­ing cy­ber­se­cu­rity threats are in­deed the na­ture of the world to­day. Breaches will hap­pen; it’s how you re­spond that mat­ters. It’s best to fo­cus on: • Min­imis­ing the loss of rev­enue

as­so­ci­ated with a se­cu­rity in­ci­dent. • Bet­ter pro­tect­ing in­tel­lec­tual prop­erty,

client data and rep­u­ta­tion. • Re­cov­er­ing in a shorter time, get­ting back to busi­ness more quickly and re­duc­ing the costs as­so­ci­ated with man­ag­ing the breach.

Newspapers in English

Newspapers from New Zealand

© PressReader. All rights reserved.