This article focusses on the involvement of professionals after a company has its systems breached and private data is stolen.

It makes sense that some of the most in-demand professionals in 2024 are those who find potential weaknesses in an organisation’s IT systems, or act on behalf of an organisation when a breach occurs.

What gets lost in the excitement of cyber-attacks, however, is the graft work of the professionals who assist to identify “who was breached” and “what Personal Information of theirs was stolen”.

These professionals use a mix of technology and data analysis to help determine the “who” and the “what” during post-cyber breach analysis. And it is no surprise that the other buzzword of 2024, “Artificial Intelligence”, is part of the toolkit used by these professionals.

In response to high profile data violations, and the increased tempo and skillset of bad actors, the Office of the Australian Information Commissioner (OAIC) implemented a mandatory reporting regime for certain types of incidents involving Personal Information that is likely to result in serious harm. This reporting mandate requires companies who have been breached, where serious harm to one or more individuals is likely, to identify those individuals and the type of Personal Information that was compromised. The OIAC officially calls this part “the Assessment phase” of an effective data breach response.

A data breach is any security incident in which parties gain unauthorised access to an organisation’s systems. Sometimes the breach also includes the disclosure of sensitive or confidential information. Such information can include Personal Information such as opinions about an individual, tax file numbers, bank account details, healthcare data, customer data records, or other financial information. An organisation has a reporting obligation to the OAIC if the theft and disclosure of this material is likely to result in serious harm to any of the individuals to whom the information relates. The organisation must also have been unable to prevent the likely risk of serious harm with remedial action.

It is important to note that there is no ‘one size fits all’ solution to preparing for and responding to data breaches. Data breaches can be caused or exacerbated by a variety of factors, involve different types of Personal Information, and give rise to a range of actual or potential harms to individuals and entities. As such, there is no single formula for responding to a data breach. More specifically, we need to be flexible in our approach when responding to the task of finding those individuals whose data has been compromised, and what types of Personal Information is involved.

We know that corporate data is complex to analyse as it is often siloed and spread across large sprawling organisations. Even organisations themselves struggle to understand the enormity and complexity of their own data. However, our expertise to homogenise this data for the purposes of identifying employees, contractors, or customers whose data has been breached, and what data has been breached, is what sets us apart from everyone else.

THE WHO

An organisation who suffers a data breach that involves third-party Personal Information, may be subject to reporting obligations should they be subject to certain criteria.¹

THE WHEN

Once an organisation suffers a data breach there are a few criteria used to determine when a business should contact the regulator:²

1. there is unauthorised access to or unauthorised disclosure of Personal Information, or a loss of Personal Information, that an organisation or agency holds;
2. this unauthorised disclosure or loss of Personal Information is likely to result in serious harm to one or more individuals; and
3. the organisation or agency hasn’t been able to prevent the likely risk of serious harm with remedial action.

THE WHAT

Personal Information is defined to include information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not.³

An organisation who is required to notify the regulator of a breach must prepare a statement about the data breach which includes the particular kind, or kinds of information concerned⁴ and, where practicable, notify individuals whose data was breached.⁵

THE HOW

After the breach has been identified and remediation has taken place, we look at what individual and what forms of Personal Information have been exposed.

Most data breaches reveal large quantities of unstructured data such as emails and documents. Data such as this is analysed with three key approaches:

• Human review
• Machine Learning
• Artificial Intelligence (AI)

This workflow uses a combination of all three approaches, mixing a person’s experience and skill with feeding a machine learning program to expedite the analysis. Add to this mix Artificial Intelligence (in this instance, AI is used for data analysis, not content creation) and the process ensures the most accurate analysis with the best levels of efficiency.

AI models are an interesting tool. They can be built for, and added to, the workflow of a specific breach investigation. They can also be repurposed such that the work done during the assessment phase can identify other areas of private information in the organisation as part of a remediation strategy.

Some Australian-centric Private Information AI models can be built to assist the cold start problem of reactive breach investigations. These “portable models” can also go a long way to assist other clients who are developing a proactive strategy to identify Personal Information as part of a data breach response plan.

Professionals who manage complex data breach projects need the flexibility to adopt to the unique challenges each breach event provides. It is important we make smart use of a human-centred approach to drive technology to its fullest capability. This allows a company who is going through the pain of a cyber breach to ensure some of the hardest parts of a planned response is handled in the most appropriate way.

Learn more at Siera Data

¹ s26WK Privacy Act 1988 (Cth)
² s26WE Privacy Act 1988 (Cth)
³ s6(1) Privacy Act 1988 (Cth)
⁴ s26WK(3)(c) Privacy Act 1988 (Cth)
⁵ s26WL(2) Privacy Act 1988 (Cth)