2-year anniversary of the Notifiable Data Breaches scheme and OAIC trends

We are now two and a half years into the mandatory data breach notification regime.

In February 2020, the OAIC released its biannual Notifiable Data Breaches Report. The report continues to highlight that a significant portion of data breaches attributes “human error” as the root cause (32 per cent, down from 34 per cent in the year prior).

Against this background, the OAIC continues to raise awareness that human behaviour is one of the most significant vulnerabilities exploited by actors committing cybercrimes. With this in mind, during Privacy Awareness Week earlier this year, the OAIC published a number of very helpful resources for employees and families to utilise, to stay safe online. These materials are a good source of information for addressing privacy risk across organisations.

The report also zones in on the frequency and severity of business email compromise incidents (i.e. mailbox breaches) and entities using mailboxes as a means for storing vast quantities of data. The OAIC sets out the anatomy of such attacks and articulates its very clear expectation that organisations must undertake a robust review of such incidents including assessing data risk (rather than treating them merely as low-grade phishing incidents).

As part of its overall regulatory focus, the OAIC is monitoring for organisations that store too much data in mailboxes (which not only increases the severity of incidents, but may be considered a violation of APP11.2 which requires that organisations periodically destroy/de-identify data when it is no longer required). We recommend that, coming out of COVID-19, all organisations review their data handling practices, and take steps to reduce their data risk by purging unnecessarily retained data.

Sustained cyber attacks against the Australian government and organisations

VIEW ALL

The Australian government has recently advised the public of a sustained targeting of government agencies and organisations in Australia by a sophisticated but unnamed state-based actor. Irrespective of who is allegedly behind such activity, the Australian Cyber Security Centre (ACSC) has issued detailed guidance to organisations to address such activity.

The ACSC has labelled this cyber campaign as “copy-paste compromises”, coming from the fact that the responsible threat actor has utilised tools copied from open source forums to undertake their activities (i.e. by exploiting vulnerabilities listed on the MITRE ATT&CK framework – which is essentially a shopping list online of known security vulnerabilities).

The threat actor has also been utilising a number of well-known spear-phishing techniques (which are designed to masquerade emails to trick employees into thinking they are corresponding with legitimate people not cybercriminals). This includes:

• Links to credential-harvesting websites;
• Emails with links to malicious files, or with the malicious file directly attached;
• Links prompting users to grant Office 365 OAuth tokens to the actor; and
• Use of email tracking services to identify the email opening and lure click-through events.

To reduce the risks of compromise, the ACSC has recommended implementing the following mitigation steps:

• Patch internet-facing software, operating systems and devices within the next 48 hours – All exploits used are publicly known and there are patches or mitigation steps available. Where possible, use the latest versions of software and operating systems.
• Use multi-factor authentication across all remote access services – Multi-factor authentication needs to be applied to all internet-accessible remote access services, including:
• Web and cloud-based email, including Microsoft Office 365;
• Collaboration platforms;
• Virtual private network connections; and
• Remote desktop services.

There is a risk that should an incident arise out of one of these vulnerabilities being exploited, absent there being good reason not to patch the vulnerabilities, there will be an argument that the entity did not take reasonable steps to secure their systems thereby exposing that entity (or the external IT provider) to liability as a result.

Ransomware trends – ‘big cyber game hunting’

Over the last four months in Australia, we have noticed a trend of “big game cyber hunting” whereby threat actors routinely target mid-market to large-sized organisations with ransomware, knowing that the group can afford to pay large extortion sums. We have recently seen ransomware demands in Australia average at the $1 million to $3 million mark, with some being in excess of $10 million.

Additionally, ransomware matters are now more often than not hybrid in nature. Not only does the ransomware encrypt the target entity’s files and systems, but as part of the attack and prior to deploying the ransomware, the threat actor group takes large quantities of data for later sale or disclosure on the dark web. This allows the threat actor group to further extort the target entity, seeking payment in consideration for deleting the data and not disclosing it online. Should this occur, organisations face significant privacy, commercial and reputational risk.

We recommend that as part of this new trend of targeted and high-profile ransomware attacks, all organisations scenario test their intended response to such an event. This includes completing a decision-making framework around whether the organisation would pay a ransom demand and the steps that will be taken should this occur (including addressing AML/CTF risk). A number of organisations have paid the ransom in such scenarios, justifying it to prevent publication, dissemination and misuse of data.

While the natural starting point is that ransom demands should only be paid as a last resort, should this decision-making framework not be addressed in advance of an incident, decisions are often hastily made by leadership teams leading to unintended and undesirable outcomes. For those entities who are unfortunately impacted by this type of incident, support is available with a number of organisations specialising in responding to this particular type of incident. The ACSC is also coordinating its efforts to assist Australian organisations with responding to this type of incident.

Malicious cyber attacks continue following COVID-19

As the world continues to deal with the economic and operational challenges from the global COVID-19 pandemic and subsequent waves, organisations need to continue to address COVID-19-related cyber risk. These include:

• COVID-19-related phishing attacks;
• Exploitation of insecure software and hardware systems in remote working environments; and
• Fake applications that can load ransomware and spyware on devices.

The ACSC has prepared a number of helpful resources, which we recommend all organisations read, in understanding how to address the ongoing risks of a distributed workforce. This includes, notably, teaching employees how to spot a phishing scam.

Privacy litigation and regulatory enforcement activity

The past year has seen an increase in litigation and regulatory enforcement action brought against entities relating to data events. Such activity will continue to test Australia’s privacy laws and impact on whether a common law action for breach of privacy will be developed through the courts, or whether it will be left to Parliament to create a statutory tort.

Some of the recent actions which have and will continue to impact on the developing privacy legal jurisprudence are:

• Federal Court proceedings brought by the OAIC against Facebook in connection with the Cambridge Analytica scandal, in which the OAIC argues that Facebook has committed serious and/or repeated interferences of the privacy of its users. The proceedings are in the early stages, with arguments about jurisdiction being raised (which in itself, will assist to clarify the circumstances in which overseas entities are subject to Australian Privacy Laws).
• Settlement of Australia’s first-ever privacy class action brought against the NSW Ambulance Service, involving the unauthorised disclosure of personal information of ambulance service employees. This decision demonstrates that there are real risks of class actions being launched, and there being a minimum settlement value to be recovered by litigants and funders against defendants. There are a number of test cases currently being formulated off the back of this case.
• Formal investigation commenced by the OAIC and the UK’s Information Commissioner's Office (ICO) against Clearview AI focusing on the company’s use of “scraped” biometric data of individuals. This investigation is a continuation of the OAIC’s appetite to jointly investigate global data incidents together with international data protection authorities. This investigation will also set the tone and framework for the way in which entities handle biometric data. Biometic data presents different challenges, being highly sensitive and a permanent identifier as a form of personal information which cannot be replaced to prevent data misuse (unlike personal contact and financial information).
• Calls for a class action to be brought against a large Australian telco for revealing the personal information of more than 50,000 customers, including their home addresses, online. This case was dropped by one well-known plaintiff law firm and picked up by another, signalling a mixed appetite by the plaintiff bar to run with test cases in the absence of a clear and established legal framework.
• Early-stage enquiries being made by the ACCC against a global tech company alleging infringements of the Australian Consumer Laws under the Competition and Consumer Act 2010 (Cth), in connection with a well-publicised data event which occurred during COVID-19. This is a continuation of the ACCC’s foray into the data misuse space, following its action against Google for data-tracking activities, and Lime Scooters for not patching technology. It also comes at a time when the ACCC and OAIC are looking to co-regulate data usage under the Consumer Data Right framework which went live on 1 July 2020. 

We are also aware of increased appetite by funds, plaintiff law firms and privacy counsel to develop class action jurisprudence through strategic test case litigation in the privacy litigation space, although much will likely turn on the outcome of the class action reform inquiry presently underway.

How can corporate counsel address cyber risk?

Increasingly, the legal function of any organisation is being called in to assist with helping the organisation respond to cyber/data-related events. Corporate counsel are well placed to play a leading role in the incident response especially given the need to report to key decision-makers within the business including at board level.

Beyond this, given the recent Capital One decision in the US, in which the court ordered the disclosure of a Mandiant forensic report stating that legal professional privilege did not apply, there has been increased scrutiny around the process of engaging vendors and ensuring that key communications are protected by privilege from later disclosure.

Corporate counsel (and external legal advisers) ought to establish a process for minimising legal risk, while ensuring that the incident response is advanced expeditiously with the legal teams supporting the core response team in containment and recovery efforts.

Finally, to minimise litigation risk in advance of any data privacy action, we recommend that organisations take steps to review their data handling practices and invest in documenting those practices, as well as ensure that entities are compliant with industry best practice standards. This will allow an organisation to demonstrate that they took reasonable steps in any later litigation or regulatory inquiry. Corporate counsel can drive such activities, emphasising the benefits of record keeping as part of good governance.

The authors of this piece are Clyde & Co partner John Moran, senior associates Reece Corbett-Wilkins, Richard Berkahn and Sophie White. Firm associate Gary Bayarsaikhan assisted in preparing the piece.