The recent spectacular leak of documents from the Panama law firm Mossack Fonseca illustrates just how easy it is with modern technology to access and disseminate vast amounts of information. The leak is said to have comprised some 2.6 terabytes with some 4.8 million emails, 3 million database entries, 2.2 million PDFs, 1.2 million images, 320,000 text files and 2,242 files in other formats.[i]
It is not known how the leak from Mossack Fonseca occurred. The data was provided by an anonymous source to a German newspaper under strict conditions to prevent identification of the source. Mossack Fonseca has reportedly said that this was not an “inside job” but that the firm had been “hacked”.[ii]
The Australian Cyber Security Centre released in December 2015 the 2015 ACSC Cyber Security Survey: Major Australian Businesses. Respondents to the survey reported cyber security incidents (those considered to have harmed the confidentiality, integrity or availability of a network’s data or systems) in the last 12 months. As the name of the survey indicates, most of the respondents (67%) were from large organisations (200+ employees), 23% from medium-size organisations (21-199 employees) and 10% from small organisations (less than 20 employees). A breakdown of the responses was:
Respondents to the survey identified the following cyber threats that they considered to be of the most concern:
Responses indicated that the following were the cyber actors of most concern:
From these responses, and anecdotally, the potential for a cyber attack and unauthorised access to information on a network is far from remote, particularly with substantial increases in ransomware attacks.
The ACSC Report indicated that only 51% of respondents reported cyber security incidents to an official body such as CERT Australia (the Australian national computer emergency response team) or law enforcement agencies or ACORN (the Australian Cybercrime Online Reporting Network).
Another regime may soon exist for mandatory reporting of incidents which result in unauthorised disclosure of personal information or credit information within the ambit of the Privacy Act 2008 (Cwlth). An Exposure Draft Bill, the Privacy Amendment Bracket Notification of Serious Data Breaches) Bill 2015, has been released for comment and submissions closed on 4 March 2016.
The amendments that are proposed in the draft Bill arise from Report 108 of the Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice. The main concern is the increasing amount of personal information held in relation to individuals and the possibility of identity fraud.
The Discussion Paper for the draft Bill indicates that the intention is that:
Notification would be required if a serious data breach has occurred, or if an entity has reasonable grounds to believe that this has occurred.
Submissions have been made by numerous organisations in relation to the draft Bill. Many submissions, including that of the Australian Information Industry Association raise concerns at some of the unclear concepts and strict obligations that are contained in the draft.
The Discussion Paper issued with the draft Bill Office of the Australian Information Commissioner (OAIC) will issue guidelines for concepts. The OAIC already has an extensive Data Breach Notification Guide, issued in 2014.
The Government is considering submissions and is in the process of preparing a revised draft Bill for Parliament. If an Act is passed that is consistent with the draft Bill, it will commence 12 months after Royal assent.
The requirements for notification in the draft Bill, if it becomes an Act, will apply to any entity that is an APP entity under the Privacy Act. This will include any business with an annual turnover of more than $3 million, and will also include any business that provides a health service (as widely defined) or any business providing personal information in return for benefits.
The Australian Government recognises the risks that are posed by data breaches and on 21 April 2016 released an Australian Cyber Security Strategy. The Attorney-General’s Department advises that the Strategy establishes five themes of action for Australia’s cyber security over the next four years to 2020:
The Government will commit $230 million to advance the strategy, indicating the seriousness with which the Government views cyber security and protection of data.
In view of the increasing prevalence of cyber threats, all businesses would be wise to ensure that they have appropriate security strategies and safeguards. What may be appropriate for any particular organisation will depend very much on its size, operations and circumstances.
Losses and liabilities that may arise from an adverse cyber security incident can be substantial. Apart from internal disruptions and costs, liabilities may exist to individuals and other third parties, whether by reason of Privacy legislation or by reason of obligations of confidentiality and care that may be owed to other parties with information held by an organisation.
The ACSC Report mentioned above indicates that predominant factors contributing to industry cyber incidents were identified as staff errors or omissions and poor security culture, as well as misconfigured systems and sophistication and targeting of the incidents. Having comprehensive and appropriate staff policies, procedures and guidelines, as well as training and information in relation to IT security and management, can substantially reduce the risks.
[ii] Ibid, Mossack Fonseca responses.
[iii] Attorney-General’s Department, https://www.ag.gov.au/RightsAndProtections/CyberSecurity/Pages/default.aspx
This communication provides general information which is current as at the time of production. The information contained in this communication does not constitute advice and should not be relied upon as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Should you wish to discuss any matter raised in this report, or what it means for you, your business or your clients' businesses, please feel free to contact us.