Mandatory data breach reporting legislation and your Australian organisation: BAU?

Australia now joins the list of states and countries which have implemented – or are in the process of  enacting – mandatory data breach legislation.

The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was passed in February 2017 which applies to organisations that meet specific criteria such as business size or stewardship over specific categories of personal data (e.g. children). The laws will take effect early 2018.

My focus in this article is to look at what this means for organisations in broad terms terms. Feel free to share this article with your Board and C-Suite – it may help shape their approach to compliance with the new legislation.

Fact is, the glacial pace of legislative and regulatory change stands in stark contrast to the fast paced, volatile and comparatively uncertain world of digital and information technologies.

The legislative tortoise is struggling to keep up with the digital hare in this instance – however in this race, there is no finishing line. It’s what happens on the journey that determines the real winners.

Irrespective whether your organisation’s efforts on cyber security  are driven by (i) compliance to mandatory data breach reporting legislation, or (ii) minimising the adverse business impacts of a cyber security event – or both, how best to proceed?

If this was MY business…..

Put yourself in your organisation’s Boardroom for a moment. What would you do if this was your business?

On the one hand,  evidence is compelling that data breaches continue to occur with impunity. Organisations that may have implemented demonstrated ‘best-practice’ and have much deeper pockets than you when it comes to cyber security measures are also impacted by data breaches.

Fact remains, to date, the list of data breaches is impressive and getting longer by the day.

The recent Ponemon Institute study based on over 1,000 respondents from within United Kingdom and North American organisations offer some useful insights into the challenge facing the ‘C-suite’.  Among the key findings were that critical cyber threat information was frequently not provided to the C-Suite and “70 percent of security industry professionals believe threat intelligence is often too voluminous and/or complex to provide actionable insights”  Makes for sobering reading.

On the other hand, the ‘do nothing’ option is not an option.  Problem is – what is the does doing ‘something’ look like for you and your organisation?

… what should or could I do?

So, what steps would you look at putting in place to protect your organisation’s information assets? Beef up your own internal cybersecurity capabilities by throwing technology at the problem? Employ a consultant to do an independent assessment of your cyber vulnerabilities? Outsource it to someone who really has the right credentials and reputation?

How would you – as a executive who is (potentially)  not an expert in IT or cyber-security, ensure that a sustainable and effective cybersecurity protection regime exists for your whole organisation?

Cyber security – the game of probability.

Conventional approaches to enterprise information security certification and compliance largely revolve around the establishment and maintenance of an ‘information asset’ register.  The business risks to a specific ‘information asset’ typically follow the logic of:

Business risk associated with a specific event for that asset (or asset group) = (Impact on the organisation  x Probability of that event occurring) + Risk Adjustment

This approach underpins information security certification and compliance  models such as IISO/IEC 27001. This approach often does not account for the inter-dependencies and interaction between risks.

Certification may be a necessary but certainly is an insufficient prerequisite for ensuring an effective, sustainable, adaptable and cost effective cyber security regime for your entire organisation.

Added to this assessment should be the probability of your organisation falling foul of any mandatory data breach reporting legislation, and the likelihood of prosecution with the resulting bad press and reputational damage..

Apply the 80/20 rule – to your advantage

The first step in addressing this unpredictable and rapidly evolving challenge is to recognise the source of the majority of adverse cyber events (such as data breaches). Not focusing exclusively on the technical aspects would be a good start.

Fact is, people are the weakest link in cyber security, and make a substantial contribution to data breaches.

Industry reports vary, however it is safe to say that between 40% and 60% are showing that organisations are their own worst enemy when it comes to cyber security and data breaches.

To cite one example, according to the Verizon 2016 Data Breach Investigation Report, insider and privileged misuse played its part in confirmed data breaches:

  • Use of legitimate user credentials associated with most data breaches. [63% using weak, default, or stolen passwords]
  • 33% by end users with access to sensitive data to do their jobs
  • Equal 14% were Executives and privileged IT staff (Administrators, Developers, etc)

Consider these 5 suggestions in addressing the threat from within your own organisation – whether accidental or otherwise.

Mandatory Data Breach?  What? Where? When? How?

At the heart of the effectiveness of any data breach countermeasures lies the early (hopefully, real-time) detection of a suspicious activity, or  the occurrence of an actual data breach.

Many data breaches are often not discovered for months — or even years. Additionally, in many instances the breach is first detected not by the organisation itself. This presents a real challenge for organisations where the breach may have occurred and the perpetrator has long since moved on.

To minimise the time lag between a breach occurring and you first hearing about it, harness the collective insights and observations of your key staff and managers across the organisation in a timely and efficient manner through a process that works for your business.

The key capability that should be developed is the ability to rapidly correlate and distil these insights and observations in such a way as to detect (and preempt) possible data breach events.

This is not as difficult as it sounds.

Lastly, develop a response plan then ingrain it within your organisation’s culture

Ensuring that your organisation has a proven and effective capability for promptly responding to a suspected or confirmed data breach is key. This will help to restore trust in your organisation’s ability to respond. It will also provide clear evidence that your breach notification, assessment, escalation and resolution capabilities are effective and efficient.

Of course, focusing on the factors within your organisation should not ignore the deliberate, real and persistent threats from outside operators.

The shadowy world of cyber crime, opportunistic hackers, state-sponsored cyber attacks, terrorism and those who inhabit the so-called dark web remain a real threat.

Wade Baker, principal author of the 2014 Data Breach Investigations Report from the US mobile communications company Verizon, summed up the situation more bluntly: “After analysing 10 years of data, we realise most organisations cannot keep up with cyber crime – and the bad guys are winning”.

The message could not be more compelling: Ensure that both your external and internal risks of a data breach are proactively and systematically identified, managed and controlled.

To do this requires an across-the-board input and engagement by all stakeholders within and outside of your organisation.  That includes actors such as staff, managers, contractors, the C-suite, customers, regulators, suppliers, cloud services providers, auditors and regulatory authorities, as the case may be.

Now that’s a task for leadership, and not solely a technology solution.

At the end of the day legislation should not define your minimum approach to dealing with a data breach.  Your business, staff and its customers deserve better.