Data breaches risk reputation

Reputational damage is the greatest risk from data breaches, Andrew Solomon, acting deputy commissioner at the Office of the Australian Information Commissioner (OAIC), told the AILA conference.

Community expectations on data security were high and breaches undermined organisations' social licence.

Breaches had direct, indirect and opportunity costs and the impacts were not limited to the organisation responsible. “After breaches, people start doubting information handling across sectors or the whole economy," he said.

“They say trust takes years to build, seconds to break and forever to repair, but it's not always irreparable."

Direct costs included investigations, notification, communications, customer support, legal costs and advice, consulting, and identity protection services. Indirect costs included time, effort and other resources. Opportunity costs were negative reputation, lost business, and diminished confidence and social licence.

The notifiable data breaches scheme (NDBS), overseen by OAIC, has been operating since 22 February 2018, aimed at increasing transparency and accountability. Mr Solomon said it helped maintain public confidence.

The latest quarterly OAIC report said 245 notifiable data breaches (NDBs) were reported in July to September, compared with 242 in the prior quarter. Most NDBs affected fewer than 100 people.

Malicious or criminal attacks were responsible for 57% of incidents and 37% resulted from human error.

The top five industry groups in the July-September report were health (45 notifications); finance (35); legal, accounting and management services (34); education (16); and business and professional associations (13).

Mr Solomon said key lessons from NDBS were:

• Reduce risk by addressing human error: promote staff awareness of strong password practices and information security controls
• Implement effective data breach response strategies: establish clear procedures, identify data holdings and prepare communications
• Third party co-operation: only one entity needs to conduct an assessment and make the required notifications
• Avoid data breach fatigue: Not every breach requires notification.

Mr Solomon said poor preparation was noticed and “can lead to a significant hit to reputation and the bottom line". “Organisations need to be trusted custodians of personal information." Today's data-driven life required ethics, dignity and respect. Legal compliance alone was not enough.

Mr Solomon advised organisations to clearly document processes taken when deciding whether a breach was notifiable. “That will assist us in deciding whether it's a reasonably justifiable decision."

Panel session debate

In a separate panel session on cyber risk, Andrew Taylor, cyber underwriting manager Asia Pacific for Chubb, said the OAIC report had no surprises but data breaches were a small business problem because larger organisations were “ramping up" their efforts to avoid breaches.

There was “confusion at the lower end of the market and human error is underestimated. It's governance more than security".

Mr Taylor said cyber insurance was not a new product, as many imagined, having been on the market since about 2009. Uptake was “consistently growing".

Organisations had to understand data's value. “Think about your email inbox. How much of it is sensitive? Multifactor identification works. Weak passwords are human error, an easy fix."

Mr Taylor said lawyers were “the best risk going around". They had access to sensitive client data. Professional firms had “simple governance issues". Many thought data security was an IT problem and data was secure in the cloud. “Nothing could be further from the truth."

He was critical of “boilerplate contracts" that included clauses requiring PI and workers' compensation insurance but neglected data protection. “It's worth considering privacy protection in contracts." Some online contracts unwittingly gave away data rights to entities like Google.

Marsh cyber specialist Kelly Butler said there was a need to better educate clients and embed awareness into organisations' cultures. There was an uptake in cyber insurance, but not as large as expected post NDBS's implementation. It was important for clients to understand their risk before buying cover.

The EU's general data protection regulation (GDPR), which included large penalties for data breaches, had made organisations “prick their ears up" and boards were “starting to understand" the risks.

Nigel Hardy, security practice leader at Kinetic IT, said many organisations had “huge attack surfaces or footprints, eg health". Due diligence had to be “front of mind" and organisations had to consider the cost of getting controls in place, analysis and damage recovery.

Problems he identified included cloud-based data management and weak passwords, making it easy to penetrate mailboxes. He warned the average time taken to detect breaches was nine months and ransomware attacks could mask more serious data leakage over time.

Data aggregators were “scraping your information from Facebook and LinkedIn .. pushing it into the cloud in a single place, so it's easy for attackers to breach".

Moderator John Moran, a Clyde & Co partner, asked what was on the radar for 2019.

Mr Taylor anticipated greater awareness, more attacks, and a bigger uptake up of cyber insurance.

Mr Hardy said there would be new threats. As security got better, attackers would find the next vulnerability to exploit.

Ms Butler said insurers were now focusing on aggregation risk. About 100 March clients had been affected by recruitment services provider PageUp's data breach.

In the Q&A session, insurance lawyer Michael Gill asked about internal threats, eg from disgruntled employees.

Panelists agreed an organisation's culture was important. Mr Hardy said: “We assess business risks, governance, authentication systems, whether the right people are accessing the right systems, and are the right controls in place."

Mr Moran warned: "Organisations can overlook operational risk because they're focused on technical issues."