Earlier this year we looked at the growing issues of cybercrime and data security, with specific reference to the Notifiable Data Breaches (NDB) scheme introduced by the Australian Government on 22 February as part of the Privacy Act 1988.
With the new scheme now up and running for businesses with annual turnover of $3 million or more, it’s a good time to take a closer look at the impact of the changes – especially given a number of recent high-profile data breaches, including the damaging revelations surrounding shipping company Svitzer Australia as well as the social media behemoth, Facebook.
(Further highlighting the challenges of data breaches, even as I was writing this article another case emerged in the news, a ransom hacking incident involving highly sensitive personal information of around 8,000 clients of Family Planning NSW. You can read more here.)
Svitzer in deep water
In mid-March of this year, shipping company Svizter Australia – part of the Danish shipping conglomerate Maersk – earned the unfortunate distinction of becoming the first business to report a data breach under Australia’s new NDB laws when the personal information of almost half of its 1,000 employees was leaked outside of the organisation. In a major security breach, up to 60,000 emails from the company’s finance, payroll and operations departments had been secretly and intentionally auto-forwarded to two external accounts between May 2017 and March 2018. The emails contained large amounts of highly sensitive personal information including tax file numbers, next of kin details and superannuation details. The breach was only detected after some of the covert emails began to bounce back, with forensic IT investigations later determining the breach was caused by external perpetrators.
“This is a reminder of the constant threat individuals and businesses alike face,” Svizter Australia Managing Director Steffen Risager said in a statement confirming the significant breach. “The nature of cybercrime means while we can get it right a thousand times, the perpetrator only needs to get it right once. We will learn from this experience.”
Currently, Australian companies have a maximum of 30 days to conduct an assessment and disclose details of a data breach being discovered. The Svizter breach was reported considerably faster after just 15 days. However, Europe is soon set to introduce new 72-hour reporting guidelines.
In terms of cyber security 2017 was a year to forget for Svizter’s parent company, Maersk. It was also badly infected by the ‘NotPetya ransomware’ in a global cyberattack last June with a potential cost of $300 million in lost revenue.
Thumbs down for Facebook
If there were ever any doubts about the potential for widespread cyber breaches, even within the biggest and best-funded corporations, they were firmly quashed by the scandal that continues to engulf Facebook and its multi-billionaire founder, Mark Zuckerberg. As has been well documented in the news media, revelations emerged earlier this year that the personal information of more than 87 million Facebook users had been unknowingly ‘harvested’ by Cambridge Analytica – a firm linked to former Donald Trump campaign adviser Steve Bannon – including over 300,000 Australians.
In an interview with the American NBC show, Meet the Press, Cambridge Analytica whistle-blower Christopher Wylie explained much of the damage from the Facebook data breach may never be fully known. “Facebook is now starting to take steps to rectify (the breach) and start to find out who had access to it and where it could have gone, but ultimately it’s not watertight to say we can ensure that all the data is gone forever,” he said.
Especially damning have been revelations that Facebook first discovered the information had been harvested in late 2015 but failed to alert users or authorities at the time. In a major wake-up call to senior managers across the globe, Zuckerberg has since repeatedly acknowledged – including in testimony before the US Congress – a huge mistake had been made in failing to take a broad enough view of the company’s data security responsibilities.
The onus is on you
While your business may not be of the same scale as Facebook, or even Svizter, it’s vital to understand and meet your obligations if you’re impacted by a data breach. Significant penalties may apply if you don’t. Full details of the Notifiable Data Breaches scheme, including specific guidance on how to report a breach, are available from the Office of the Australian Information Commissioner (OAIC).
If you’re concerned about the security of sensitive information in your business, and would like to explore your options, please contact Vishal Modi here.