As we count down to the halfway mark for 2019, we take stock of current developments in the cyber risk landscape, and signpost upcoming changes that corporate counsel should be aware of when advising their organisation of this risk, write John Moran, Reece Corbett-Wilkins and Richard Berkahn.
One-year anniversary of the Notifiable Data Breaches scheme
The Office of the Australian Information Commissioner has recently released its inaugural annual report, summarising the first year of the Notifiable Data Breaches scheme, which provides useful insight into the operation of the scheme and types of incidents reported.
In summary, the OAIC received 964 eligible data breach notifications in the 12 months leading up to 31 March 2019, an increase of 712 per cent on the year before when notifications were voluntary.
Of note, 35 per cent of all reported incidents were attributable to human error (as distinct from malicious attacks and system faults). This is likely the result of the increased frequency of social engineering attacks impacting Australian organisations.
These social engineering attacks are known as “business email compromise” or “invoice fraud” incidents, which frequently result in the misdirection of funds, as well as unauthorised access to commercially sensitive corporate information and personal and financial information of individuals.
Implementing technical controls such as complex password policies and multi-factor authentication assists in reducing the risk of unauthorised mailbox access, as does educating employees not to use corporate work email accounts for signing up to online accounts. Organisations should check HIBP and other similar “credential stuffing” sites to confirm if accounts have been compromised and reset passwords for relevant accounts where required. Organisations should also implement payment processes to update bank account details over the phone or in person to reduce the misdirection of funds risk.
Multi-party breaches — fail to plan, plan to fail
A number of recent high-profile data breaches have exposed one of the weaker aspects of Australian privacy compliance, with a number of companies having to quickly come to grips with the Notifiable Data Breaches scheme’s multi-party breach notification requirements.
In practical terms, multi-party breaches are where a number of organisations are impacted by the same data incident, as a result of a “breach” (i.e. unauthorised access or disclosure) stemming from a central organisation which is used by those different organisations to hold or process data on their behalf. In other words, one entity is breached, but hundreds are left dealing with the consequences.
To prepare for and avoid the inevitable pandemonium that follows a multi-party breach, organisations will need to work closely with their service providers in advance of an incident occurring to map out how an interconnected web of organisations will work together to address the incident. Corporate counsel can implement terms into vendor agreements.
Given the recent high-profile incidents, we do not expect the OAIC or the public to tolerate mishandling of these types of incidents going forward. The expectation is that roles are clearly defined in advance by parties to ensure that incidents are expeditiously investigated (usually by the impacted entity), and if appropriate (and only if appropriate) are notified to individuals (usually by the entity with the direct relationship with the impacted individuals) in a clear and consistent way, to ensure that individuals are provided the help they need — without causing them undue and unnecessary alarm.
Incoming privacy laws increasing the scope of cyber protection laws
We are observing a global trend of greater consumer awareness around privacy, and increased expectations about how data is to be handled. Governments are introducing corresponding legislative frameworks to govern data handling to provide greater consumer protections.
We are only weeks away from consumers gaining greater control over the use of their data in the form of the Consumer Data Right, which is intended to increase transparency and competition amongst providers. Commencing on 1 July 2019, consumers will be able to better access and share their information with financial institutions under a scheme to be jointly regulated by the ACCC and the OAIC. There is the potential for similar operations to be rolled out across the energy sector, telecommunications sector, and perhaps additional sectors in the future.
Further away from home, on 1 January 2020 California’s Consumer Privacy Act will come into force, which will significantly enhance the rights of individuals and the obligations of regulated entities subject to the laws. We are keenly observing what global impacts this law will have on influencing other jurisdictions to similarly adopt “GDPR”-style schemes, in an attempt to achieve equivalency across the global privacy landscape.
A changing claims landscape
All eyes are currently on the increased privacy claims landscape, which is quietly brewing in the background while the OAIC’s investigation into the Cambridge Analytica privacy breach is finalised (with the findings to be announced in the not too distant future). This investigation follows the highly publicised probe into Facebook’s connections to the data harvesting applications, LifeApp. Approximately AUD 3.2 billion in compensation is being sought through the OAIC on behalf of approximately 311,127 affected Australian Facebook users.
Any decision handed down from the OAIC will have a significant impact on whether Australia ultimately sees the introduction of a privacy class action landscape, similar to that in the United States. If the OAIC adequately compensates the class of affected individuals, then this will likely be the forum and vehicle for privacy class actions in the future. If not, then the courts will be the appropriate forum, with litigation funders and a healthy plaintiff bar at the ready.
Assuming it is the latter, until or unless a statutory tort for the serious invasion of privacy is introduced, then individuals may struggle to seek redress for the time, cost, inconvenience, emotional distress and, in some cases, actual financial loss incurred as a result of the misuse of their data, with traditional causes of action being ill-equipped to provide an adequate remedy.
Convergence of regulators
In the post-Hayne royal commission world, regulators are coming under increased pressure to crack down on corporate behaviour, and also to be seen to be taking action.
With this in mind, and with multiple regulators carving out a role to play in regulating the handling of data (such as the OAIC, ACCC, ASIC, APRA and industry regulatory bodies that govern various professions), organisations should seek to understand in advance what their obligations are and ensure that they have adequately addressed their often overlapping regulatory compliance risk.
In particular, we are seeking a number of entities caught out by the extraterritorial operation of privacy laws — with both Australian entities caught by overseas laws and overseas entities caught by Australian laws.
How can corporate counsel address cyber risk?
There are a number of simple yet effective steps that organisations can take to significantly reduce their overall cyber risk exposure. Very few of these involve technical solutions, including developing a cyber incident response plan and testing it through a simulated incident called a “tabletop exercise”, rolling out awareness training to provide employees with the tools to spot phishing emails, and educating employees not use the same or similar passwords across multiple online accounts (at home or at work). Corporate counsel are well placed to lead such initiatives across the organisation.
Although some steps are technical in nature — they are all steps which are relevant to whether an organisation has taken reasonable steps to protect information from unauthorised access, disclosure and misuse — itself a legal question. We also find that corporate counsel are well placed to influence culture reform amongst organisations — which is perfect given that cyber risk can be traced back to human behaviour (rather than being an “IT issue”).
Finally, organisations should consider obtaining cyber insurance to cover first-party costs incurred in responding to an incident, third-party liability exposure resulting from privacy claims, and business interruption losses arising from the impact of an incident. Beyond viewing insurance as a risk-transfer mechanism, corporate counsel should consider the financial and reputational implications of an organisation being uninsured or underinsured, and without the appropriate support offered by insurers (through a pre-approved incident response panel) in the time of a significant crisis.
The authors of this opinion feature are practitioners at global firm Clyde & Co. Mr Moran (pictured, left) is a partner, and Mr Corbett-Wilkins (pictured, right) and Mr Berkahn are senior associates. The authors would also like to thank associate Chloe Sevil for her assistance in the preparation of this feature.