When governments pass new cybersecurity legislation, it inevitably sets in motion a whirlwind of activity to ensure compliance and avoid fines by establishing sound action plans. But many organisations in Australia are still unsure of the best approaches to protecting personal privacy in the event of a data breach.
In fact, at a recent roundtable discussion in Melbourne among senior IT executives—hosted by Palo Alto Networks, AGC Networks Australia, and King & Wood Mallesons, a leading law firm specializing in cybersecurity—attendees acknowledged they still have a ways to go before they are confident in their ability to meet requirements under the new Privacy Amendment Bill covering notifiable data breaches.
Specifically, attendees’ and presenters’ discussions centered on four key areas:
- What organizations need to know about the legislation in order to avoid compliance problems.
- Which actions should be taken to safeguard privacy information and educate employees against potential breach threats.
- How to define “serious harm” under the new legislation and how this may be applied differently to customers and businesses in unique scenarios.
- Determining who is responsible for managing and containing the breach, and for alerting customers.
One of the most significant takeaways from the roundtable—attended by senior executives in IT, compliance, governance, legal, and business management across a range of leading Australian organisations—is that uncertainty around the legislation is a major and unavoidable issue that must be taken seriously. While the legislation does lay out a number of specific requirements, attendees and expert speakers agreed that organisations are not as clear as they need to be on the extent of the data and information they are collecting that would be governed by the new law. “The question is, what are you collecting and does it fall into the Privacy Act,” said Sean Duca, vice president and regional chief security officer in Asia Pacific for Palo Alto Networks. “There are organizations that don’t know to what extent they’re collecting information: If you collect it, you need to protect it.”
Cheng Lim, partner and head of King & Wood Mallesons’ international cybersecurity team, added: “The legislation, as part of the Privacy Act, does not involve ransomware. It deals with breaches of personal information, and the loss of, or disclosure of, personal information [PI].”
According to Cheng Lim, “Businesses aren’t sure what to do when responding to a data breach involving personal information. They need an incident plan that supports good privacy practice and covers all obligations, safeguards, notifications, disclosures, and mitigation strategies.”
One unique approach to minimizing the likelihood of a data breach compromising personal information came from the technology director at a major e-commerce organization. “In terms of minimizing the chances of this happening, we’re trying to collect the least amount of data,” he said. For instance, he explained that the company won’t take credit cards in their networks, but they will use third-party providers instead. “A smaller data footprint means we have fewer concerns to take care of and respond to.”
Another key issue for all employees to understand and respect is that even a data breach of a single record of personal information requires notification. “If the breach was to cause just one person serious harm, then notification is required,” said Cheng Lim.
Defining “Serious Harm”
Obviously, “serious harm” can be defined in different ways according to a wide variety of factors, such as the type of information collected, the sources of that information, and how is impacted by the disclosure of that information. In general, the consensus was to be aware of the impact of permanent information related to individuals, such as sexual orientation, political opinions, date of birth, salary information, and the like.
The roundtable also touched on the idea that organizations can suffer substantial damage to their brands—often reflected in their stock market valuations—after a data breach. From a brand perspective,” the cost of a breach is very murky and it’s hard to quantify,” said Duca. “Maybe the lesson learned is to change your ways, correct your path, and make sure it doesn’t happen again. Cyber insurance is a great defense; however, brand reputation will never be covered by cyber insurance.”
Who is Responsible?
“Cyber is more than just an IT risk,” said Cheng Lim. “It’s a business risk, and you need an organisational structure that follows that,” adding that it makes the most sense to have a CISO oversee management, containment, and alert, reporting directly to the board of directors on these matters.
“It’s a top-down approach,” said Palo Alto Networks’ Duca. “Look at the leaders in organizations—if they’re not following the right path and setting the right tone and example in the organisation, why should others bother?”
This means that addressing the compliance mandate must be done within the broader context of cybersecurity, which increasingly demands a mix of IT, security, and business leaders from different disciplines, all participate in the planning, implementation, and ongoing management. As one roundtable participant aptly pointed out: “You need a wide demographic of people with different skills to solve these problems. Never mind the technical jargon; true leadership must inspire tech people to solve the business problems caused by data breaches.”
Some of the most significant lessons learned from the roundtable discussion centered on the idea of getting to problems before breaches occur, rather than concentrating on the mitigation of breaches’ impact and aligning with the regulatory requirements.
“Breach management starts with governance, audit, review, protection, and then breach management,” said Cheng Lim. “Firstly, you want to prevent incidents and not focus on breach management.”
Bottom line: Prevention is key, which means that preparation is crucial. Conversations need to revolve first and foremost around preventing data breaches that expose private information. Although incident-management plans are essential, prevention always leads the way in all cybersecurity frameworks, including compliance with the new Privacy Amendment Bill.