Perspectives on Cyber Risk 2020 - minterellison.com - Minter Ellison
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Perspectives on Cyber Risk 2020 minterellison.com
Contents Methodology 3 Executive summary 4 Looking back on 2019 6 Lessons to learn from 2019 7 What’s ahead 8 Findings of our 2019 cyber risk survey 10 Lessons learned from high profile Australian 14 data breaches over the last 12 months Increasing regulatory enforcement 17 MinterEllison cybersecurity services 20 Thank you to members of our data protection and privacy team who have contributed to the preparation of this report: Paul Kallenbach, Partner; Susan Kantor, Senior Associate; Margaret Gigliotti, Senior Associate; Gary Yang, Lawyer. MinterEllison Perspectives on Cyber Risk 2020 2
Methodology
MinterEllison’s fifth annual All information provided by
cybersecurity survey was completed participants is confidential and
by more than 120 legal counsel, reported primarily in aggregate form.
Chief Information Officers, Chief
The views expressed in this report
Operating Officers, Data Protection
do not necessarily reflect the views
/ Privacy Officers, Board members,
of the individual respondents, unless
IT specialists and risk managers of
otherwise stated.
ASX 200 and private companies,
government agencies and not-for- We make no representation or
profit organisations. warranty about the accuracy of the
information, or about how closely
Just over half of our respondents
the information gathered will reflect
came from organisations with more
actual organisational performance or
than 1,000 staff.
effectiveness.
As in 2019, we issued the same
This report contains general advice
survey to all participants. Participants
only, and does not take into account
responded to questions about
your organisation’s particular
cybersecurity roles, responsibilities
circumstances or objectives.
and attitudes within their
organisations. Due to rounding, responses to the
questions covered in this report may
The survey was conducted during
not add up to 100%.
November 2019. This report
reflects the quantitative results of
the survey questions, as well as the
respondents’ qualitative comments.
MinterEllison Perspectives on Cyber Risk 2020 3
Executive summary Some tips to protect yourself
from COVID-19 related cyber
attacks
As in previous years, in Perspectives on Cyber Risk 2020, we review the cyber risk Do not reply, click on links
challenges that have arisen over the past 12 months, analyse the cyber survey or open attachments on
responses received, and consider what the next 12 months may hold. suspicious or unsolicited
emails
However, 2020 has brought with it In these uncertain times, it is Moreover, with large numbers of
some significant new challenges, understandable that individuals will workers now relying on their home
and we cannot overlook the feel more vulnerable and anxious networks and devices in order to Never respond to unsolicited
additional risks currently facing all to keep themselves updated with access work resources, there are SMS or calls that ask for
organisations as a consequence the latest public information. This increased points of vulnerability personal or financial details —
of COVID-19. In addition to clear may make them more susceptible for many organisations. just press delete or hang up
and present health, economic to malicious messages or social
and logistical challenges, it is engineering attacks. As highlighted It is more important than ever that
important that organisations do not later in our Report, personnel who organisations continue to distribute Think before you click on
underestimate elevated cyber risks inadvertently succumb to phishing cyber awareness information to any links shared in Whatsapp,
resulting from the pandemic. attacks continue to be a key source their staff, to ensure heightened Facebook or other social
of cyber incidents. vigilance about the threat of
media platforms
These cyber risks are manifesting phishing and other cyber attacks,
in a number of ways. Cyber In addition, with so many and that IT security policies,
criminals are already seeking to take organisations having moved to a processes and procedures are Thoroughly research websites
advantage of the fraught global work from home environment, updated to take account of the before providing your
situation by establishing malicious in-house and external IT resources far-reaching impact of COVID-19.
information or buying
websites that purport to offer public are more stretched than ever, and
any products
health information but instead are being diverted to ensure that
access users’ personal details, by remote access connectivity can
distributing ransomware or other be maintained for staff. However, Scammers could also set
malware using disguised COVID-19 it remains critical to ensure that up fake charities - carefully
related emails, SMS messages business as usual security processes
vet the organisation before
and phone calls (including by are not degraded, leaving IT systems
impersonating the World Health vulnerable to attack. you donate
Organisation and government
authorities).
Perspectives on Cyber Risk 2020 4
MinterEllison
“This is a time for action and leadership. Poor understanding of cyber security and an inability to mitigate cyber risk will leave directors and organisations exposed to heightened legal and reputational risk and regulatory scrutiny” MinterEllison Perspectives on Cyber Risk 2020 5
Looking back
on 2019
During 2019, cyber As the frequency, sophistication and 2019 was marked by fewer changes With CPS 234, APRA seeks to drive
attacks affected millions impact of cyber attacks continues to to privacy law affecting Australian improvements in information security
grow, so too does the stridency of the organisations compared with 2018, practices. These practices affect not only
of individuals worldwide. response by global privacy regulators – which saw the introduction of both the financial services sector organisations,
These included large scale particularly against organisations which Australian mandatory data notification but many of their suppliers, who must
breaches in Australia, most fail to implement basic security controls, laws, and the European General Data meet APRA’s security standards in order
notably the infiltration leaving themselves and their customers Protection Regulation (GDPR). This has to provide ICT services to their financial
vulnerable to attack. In the past 12 afforded a welcome opportunity for services customers.
of the Australia National
months, this has been reflected in record many organisations to consolidate and
University’s information fines imposed by regulators, including refine their privacy compliance and data It is also clear, following the release
systems by a sophisticated a US$5 billion levied against Facebook protection activities. of the Australian Competition and
Consumer Commission’s (ACCC’s) Digital
malicious actor, and the by the US Federal Trade Commission
The Australian banking sector, however, Platforms Inquiry Final Report and the
exposure of Landmark and the UK Information Commissioner’s
continues to grapple with evolving commencement of legal proceedings
Office’s proposed £183.39 million fine
White’s records on the against British Airways and £99 million regulatory requirements. In 2019, against HealthEngine and Google, that
‘dark web’. fine against Marriott. banks continued to prepare for the the ACCC is now focused on privacy and
implementation of the consumer data consumer data risks, and is determined
In 2020, the message to directors and right (now delayed to July 2020), as well to take on a proactive role in addressing
management is clear: poor data security as new information security requirements deficient privacy and security practices.
practices can impact not only the board imposed by the Australian Prudential
room, but the bottom line. An insufficient Regulation Authority (APRA) under
understanding of cybersecurity and Prudential Standard CPS 234.
inability to mitigate cyber risk will leave
directors and organisations exposed
to heightened privacy and data
security expectations of regulators and
customers.
MinterEllison Perspectives on Cyber Risk 2020 6
Lessons to learn
from 2019
There are important Implement and regularly test robust cybersecurity governance
lessons for organisations 1 arrangements (including incident response and business continuity plans)
arising from various
publicly reported data – investment by management and allocation of resources is crucial.
breaches and enforcement Implement and regularly update technical controls, including by applying
action across the globe 2 the Australian Signals Directorate’s Essential Eight Maturity Model.
in 2019:
Ensure ongoing and regular training for staff on cybersecurity risks,
3 especially regarding phishing emails and social engineering attacks.
Undertake thorough due diligence in relation to key suppliers’ data
4 handing and IT security practices and regularly audit those suppliers.
Implement arrangements to manage insider risks, including an appropriate
5 level of monitoring and auditing of personnel.
Undertake thorough cybersecurity due diligence as part of proposed
6 M&A transactions – know what you are buying.
Be aware of risks around de-identification of data, particularly with
7 large data sets, and implement controls to limit the use and disclosure
of de-identified data.
MinterEllison Perspectives on Cyber Risk 2020 7What’s
ahead?
We can expect that cyber Despite these recent developments, the regulation of consumer-related data,
attacks will continue individuals continue to share, and including by taking enforcement action
organisations continue to collect, an against organisations. Organisations
to become even more ever greater volume of data. The need should therefore take steps to ensure
sophisticated. The ANU for robust cybersecurity arrangements that their public-facing privacy and IT
data breach exemplifies – particularly to maintain public trust in policies and statements do not include
just how sophisticated the handling of data by both public and representations that are misleading or
private sector organisations – remains as deceptive to, or that are likely to mislead
malicious actors have
important as ever. or deceive, the public.
become (and is further
considered on page 14). Significantly, we await the outcome of Another area of focus for the ACCC is the
Federal Court proceedings commenced implementation of the Consumer Data
The significant impact of in March 2020 by the Australian Right (CDR). On 20 December 2019, the
large scale data breaches Information Commissioner against ACCC announced that the introduction
is already evident in Facebook in connection with the of the information-sharing obligations
2020 following the Cambridge Analytica matter. In the six associated with the CDR in the banking
ransomware attack on years since the civil penalty provisions industry had been delayed by six months,
under the Privacy Act took effect, this to allow for ‘additional implementation
freight delivery company, is the first time that the Commissioner work and testing to be completed and
Toll. In January, Toll was has issued proceedings alleging that an better ensure necessary security and
forced to temporarily organisation has committed serious or privacy protections operate effectively’.
shut down some of its repeated interferences with privacy. If the ACCC Commissioner Sarah Court said
Commissioner is successful, the action ‘[r]obust privacy protection and
IT systems following the could result in the first civil penalty order information security are core features
attack, resulting in manual imposed under the Privacy Act. of the CDR and establishing appropriate
workarounds. regulatory settings and IT infrastructure
In the future, we can expect that the cannot be rushed’.
ACCC will play a more central role in
MinterEllison Perspectives on Cyber Risk 2020 8The CDR regime
In the banking sector, the CDR (referred Privacy Act and CDR regime at different Although the CDR is being implemented
to as ‘Open Banking’) means that times, depending on the capacity in initially in the banking sector, the
a customer of a bank – whether an which the organisation, at any given government has already announced
individual or business – can request time, is holding the data. that, in due course, it will also apply to
or give consent for their data to be the energy and telecommunications
shared with an accredited third party. Importantly, if the data is CDR data, sectors.
The scheme is intended to offer the CDR regime supersedes privacy
customers clearer visibility of their data laws. Therefore, the question for Following a period of consultation,
and, consequently, the ability to make organisations is whether they should the ACCC announced in August 2019
more informed decisions, as well as to generally raise their compliance the preferred data sharing model in
facilitate increased competition in the standards to meet the stricter CDR the energy sector (using the Australian
sector. requirements at all times, or whether Energy Market Operator as the
they should apply different standards gateway for making CDR requests and
On 6 February 2020, the ACCC at different times. An analogous distributing information). This was
announced the commencement of dilemma arises in relation to the GDPR. determined to be the preferred model
the CDR Rules, and the Office of the Here, many global organisations have for energy operators, rather than the
Australian Information Commissioner adopted a global compliance standard model of direct request and access in
subsequently released the CDR Privacy of GDPR requirements (which is, in the banking sector, given the unique
Safeguard Guidelines. The current general terms, stricter than most other manner in which data is held across
challenge for the banking sector is to privacy regimes, including Australia’s), the energy industry.
determine how it will implement the rather than taking a different approach
Rules and Guidelines, as well as the in each jurisdiction in which they In January 2020, the federal Treasurer
Consumer Data Standards, which are operate. announced the government’s Inquiry
issued by Data61. Into Future Directions of the Consumer
While there are advantages in Data Right, and is seeking submissions
The legislation and rules that make up streamlining an organisation’s from all sectors of the economy on
the CDR are complex, and we expect compliance approach, in some cases, a range of matters about the CDR,
that organisations subject to the CDR there may be practical difficulties in including how it can support the
will be grappling with how they will adopting a single, higher standard. development of a safe and efficient
implement procedures and processes These include greater compliance costs, digital economy. The Inquiry is currently
to operationalise them. A further and the cultural and other changes due to report by September 2020.
consideration is that the same dataset that may be required within a global
held within an organisation could be organisation in order to adopt the
subject to regulation under both the higher standard.
MinterEllison Perspectives on Cyber Risk 2020 9Findings of our 2019
cyber risk survey
In late 2019, we conducted our fifth annual
cybersecurity survey to understand the
level of awareness of and importance that
organisations place on cyber risk.
Finding #1:
The more you know, the more you realise you don’t know
In previous surveys conducted Does this mean that
between 2016 and 2018, organisations have become less
there had been a year-on- knowledgeable about the risks
year increase in the number of cyber attacks over the past 12
of respondents who identified months? We think this unlikely.
themselves as having a ‘very Rather, this year’s decline may
good understanding’ of their reflect an acknowledgment by
organisation’s exposure to the respondents of the increasingly
risk of cyber attacks. However, complex and ever-evolving
this year marks the first year in nature of cyber risk, and of the
which there was a decline in this need to continually augment
response, falling from 35% of their understanding of a dynamic
respondents last year to just 20% cyber risk landscape.
this year.
It is critical for organisations
to recognise the need for
adaptation, learning and change.
Failure to do so can lead to
complacency and vulnerability.
MinterEllison Perspectives on Cyber Risk 2020 10Findings of our 2019
cyber risk survey
Finding #2: Finding #3:
Testing cybersecurity and data incident Cyberattacks which rely on social engineering are still the most prevalent
response plans is critical
Among our survey respondents, the most prevalent Given the prevalence of phishing and other social
In our latest survey, we saw a significant increase form of cybersecurity incident resulted from social engineering related attacks, we were pleased to
in the number of organisations which have been engineering, with 50% of incidents involving a see that, of the organisations which told us they
subject to more than five cyber attacks that have phishing incident (whether via email or telephone) had been affected by a cybersecurity incident,
compromised their systems or data in the past 12 and a further 21% involving an email compromise 60% provided additional staff training and
months – from 5% in 2018 to 14% in 2019. There has (such as invoice fraud). Of the other identified types communication as a consequence. As criminals
also been a corresponding decrease in the number of of incidents, only 3% comprised denial of service become more sophisticated in their phishing and
organisations which have not suffered such an attack, attacks, while 13% involved ransomware. social engineering techniques, organisations must
from 63% in 2018 to 38% in 2019. A majority of our arm their employees with critical tools (including
survey respondents have experienced some form of This finding is consistent with the Office of the regular staff training and communication) to
compromising cyber attack in the past year. Australian Information Commissioner’s (OAIC’s) defend themselves and their workplace.
2019 Insights Report in relation to Australia’s
These results reflect the increase in the volume of Notifiable Data Breach scheme, which found The Australia National University (ANU) cyber
cyber attacks that organisations are experiencing, as that ‘phishing and spear phishing continue to be incident in 2019 (discussed on page 14) is a recent
well as the evolving nature of cyber risk – meaning that the most common and highly effective methods example of a sophisticated phishing attack.
even vigilant organisations may suffer multiple attacks. by which entities are being compromised’. The
most recent statistics published (covering 1 July Recently, artificial intelligence (AI) techniques
It is pleasing, however, to see an increase, albeit a small have been deployed to conduct cyber attacks.
one, in the number of respondents who told us that through 31 December 2019) continue to reflect
this position. Of all malicious attacks reported For example, in early 2019, AI-based software was
their organisation regularly tests their data incident used to impersonate the voice of a chief executive
response plans. This signals a growing awareness by to the OAIC during that period, 44% involved
some form of phishing attack. These findings of a UK-based energy company, defrauding the
organisations of the need to continually improve and company of €220,000. The number of such
enhance their approach to cyber risk, as the volume demonstrate that, no matter how robust an
organisation’s technical security, the element of attacks is likely to grow as the sophistication of
and complexity of cyber attacks continue to increase. AI-based systems continues to evolve.
More recently, COVID-19 has put business continuity human error will always exist. Unfortunately, it
plans in the spotlight, with cyber risk and digital only takes one individual within an organisation to
resouces a significant part of this. follow a malicious link, or to provide information
they ought not have, to expose their organisation
(and potentially organisations with which they
electronically interact) to cyber risk.
MinterEllison Perspectives on Cyber Risk 2020 11Findings of our 2019
cyber risk survey
Finding #4:
Uptake in the usage of AI and big data is at its early stages, but there is an increasing awareness of potential privacy implications
The potential for AI and big data to have proven to be attractive targets for and the lack of privacy protections in To this end, privacy impact assessments
reshape organisations and industries unscrupulous actors (both external and place. Proponents of the technology are recommended by the OAIC for any
has been a frequent topic of discussion internal). maintain that it has been successful project involving the handling of personal
in the media over the past 12 months. in identifying criminals and securing information to determine compliance
However, at least for our respondents, There is an increased focus by convictions. However, Digital Rights with privacy legislation and alignment
the media hype is not yet reflected in regulators and the public on the ethical Watch and other privacy advocate with public privacy expectations. These
the implementation of AI and big data implications of AI and big data. Many of groups, both in Australia and overseas, assessments are particularly important
solutions within their organisations. Our these implications are privacy-related, have called for a moratorium on the use for projects involving AI and big data
survey results disclosed only a modest including, for example, the ramifications of facial recognition technologies until solutions, which often deploy ground
increase – from 15% last year to 21% this of the improper use of AI and big data regulatory frameworks for their use have breaking technologies of significant
year – in organisations currently using in re-identifying information as personal been implemented. power and potential, but also ingest vast
an AI or big data solution. Around 10% information, and the use of flawed or amounts of data and pose new privacy
(about the same as last year) said they biased algorithms in policing and other Concurrently, the Australian Human challenges for organisations. For those
planned to implement such a solution in sensitive contexts. Rights Commission released its Human starting new projects, incorporating
the next 12 months. Rights and Technology Discussion Paper ‘privacy by design’ elements, such as de-
The use of AI and machine learning in December 2019, seeking submissions
technology has attracted recent media identifying data where possible, can go
Of those organisations employing on its 29 preliminary recommendations some way to mitigating the reputational
AI or big data solutions, there was a attention in the case of Clearview AI, an to protect and enhance human rights in
application owned by a private company and financial risks that serious data
significant increase in the number that the context of technological advances breaches can pose.
have undertaken a privacy or security that has collected more than three (particularly AI), including the regulation
impact assessment in relation to the billion publicly available images from of AI-influenced decision making. At this The past year has seen the publication
implementation of such technology, the internet and uses machine learning stage, it remains to be seen whether of Artificial Intelligence: Australia’s
from 32% last year, to 53% this year. to create biometric templates to match new AI regulation will be introduced in Ethics Framework, a framework by
those images to individuals. The use Australia. However, with this context in CSIRO’s Data61 to guide the proliferation
This is particularly important for AI of Clearview AI by law enforcement mind, it is important for organisations to of AI in Australia in accordance with a
and big data projects, which by their agencies in Australia and overseas has prudently approach the implementation set of ethical principles. This is a useful
nature rely on large data sets. As the garnered criticism from privacy advocates of AI and big data solutions. resource for organisations considering
digital threat environment has become due to the lack of transparency and implementing AI or big data solutions.
more sophisticated, these data sets accountability in the way the tool is used,
MinterEllison Perspectives on Cyber Risk 2020 12Findings of our 2019
cyber risk survey
Finding #5:
Less than 60% of organisations have assessed whether GDPR applies
This year, our survey asked for the first As such, it is recommended that
time whether organisations had assessed organisations (especially those with a
the applicability of the EU GDPR. Only physical presence in the EU or those
58% of respondents said they had offering goods and services in the EU)
considered whether it applies to their assess whether the GDPR applies to
organisation, while 12% of organisations them.
had not considered its applicability, and
24% of respondents were unsure. Our survey results disclose that
a significant number of surveyed
The GDPR is the European Union’s organisations are yet to assess the
privacy law, which came into effect in applicability of the GDPR. With its
May 2018, and which can apply directly significant penalties for non-compliance
to Australian organisations. Though many (of up to 4% of annual global turnover or
of the privacy requirements are similar €20 million, whichever is higher), and the
to those found in the Privacy Act 1988 ACCC and the Australian Government
(Cth), there are a number of concepts flagging their increased appetite for
which are unique to the GDPR (such GDPR-style privacy reform (discussed
as data ‘processors’ and ‘controllers’). below), it is important that Australian
Compliance with the Australian privacy organisations understand whether
laws alone will not meet an organisation’s the GDPR applies to them, and, if so,
GDPR obligations. In particular, data whether their current privacy and data
breach notification obligations are stricter protection policies and practices meet
under the GDPR than under Australian the requisite standards.
privacy laws.
MinterEllison Perspectives on Cyber Risk 2020 13Lessons learned from high profile Australian
data breaches over the last 12 months
The impact of high profile Australia
cyber attacks in Australia National
University
has been significant
this year, and there are In June 2019, ANU publicly announced emails still allowed for credentials to be
important lessons that can that it had suffered a cyber attack, which sent to external web servers. The Insight
had only been discovered two weeks Report also explained there had been
be learned from them.
prior. This was despite a malicious approximately a two week delay between
actor gaining unauthorised access to its identifying the attack and the notification
enterprise systems in November 2018. to allow time for ANU to take remediation
ANU disclosed that the malicious actor steps prior to the announcement,
had accessed an unknown quantity including to mitigate the effects of
of information dating back up to 19 ongoing attempts to regain unauthorised
years, affecting approximately 200,000 access to ANU systems (either by the
individuals. original actor, or by others).
ANU took the unprecedented step The Insight Report helpfully included
in Australia of publishing an ‘Insight a number of lessons for other
Report’ of the incident on 2 October organisations. The successful use of
2019. The Report highlighted that the phishing by the actor highlights the
actor used a variety of sophisticated need to invest in regular cybersecurity
methods in order to obtain credentials awareness training and education across
and network access, including a number all organisations. The sophisticated nature
of sophisticated spear phishing emails. of these emails also suggests a need
Unlike traditional phishing methods, the for greater understanding of phishing,
emails sent throughout the organisation including new ways in which information
did not require user interaction. In other can be compromised and the technical
words, even though the emails were measures that organisations need to
only previewed (without being opened), implement to mitigate against this.
the malicious code contained in the
MinterEllison Perspectives on Cyber Risk 2020 14Lessons learned from high profile Australian
data breaches over the last 12 months
LandMark Victorian public
White hospitals
In May 2019, LandMark White (LMW), Unlike some of the other significant data In October 2019, a number of regional of human error, as opposed to the
Australia’s largest independent property breaches that have occurred over the last hospitals in Victoria were subject to a average of 32% for all other sectors.
valuation firm, announced that it had 12 months, the incident did not arise due ransomware attack, which blocked access These results highlight the need for
suffered a second data breach, following to a sophisticated attack. Instead, it was to several major systems. In an attempt organisations that handle health and
its announcement of an earlier breach in the work of an inside IT contractor, who to contain the infection, the impacted other sensitive information to implement
February 2019. In both cases, thousands has since been charged with a number of hospitals disconnected a number of their robust cybersecurity and cyber resilience
of company documents were posted offences and remains in custody. IT systems (including patient records, measures.
online – either to the dark web (in the booking and management systems).
first attack) or to US sharing platform, Public media reports suggest that at least
Scribd (in the second attack). Although 15 senior employees and contractors The attack resulted in the facilities having
the compromised documents were of LMW knew that the network was to resort to manual systems to maintain
not confidential in nature (insofar as the vulnerable before the incidents occurred health and other services.
information contained could be found – highlighting the critical importance of
strong and effective board-level cyber This attack follows an audit released by
by alternate means, e.g. through a title the Auditor-General in May 2019, which
search), the breach severely impacted governance.
exposed the vulnerability of patient data
LMW’s reputation, with devastating stored in Victoria’s public health system.
results. LMW voluntarily entered a trading The report also found that staff awareness
halt following the announcements, and of data security was low, increasing
its CEO resigned from the company. the likelihood of successful phishing by
In addition, LMW’s key clients – major malicious actors.
Australian banks – immediately suspended
the use of LMW’s services. Collectively, In the OAIC’s 2019 Insights Report
these events contributed to a loss of $15.1 and again in the six monthly report on
million in FY19, and LMW was forced to data breaches between 1 July and 31
raise equity through a rights issue in order December 2019, the OAIC concluded
to continue trading. In December 2019, that the highest number of notifiable
LMW announced that it was re-branding data breaches have occurred in the
to ‘Acumentis’ in an effort to start afresh. health sector. Between 1 July 2019
to 31 December 2019, 43% of these
breaches were found to be the result
MinterEllison Perspectives on Cyber Risk 2020 15Lessons learned from high profile Australian
data breaches over the last 12 months
Myki
In August 2019, the Office of the Victorian This incident is a timely reminder of the
Information Commissioner (OVIC) increasing difficulty organisations face
published its report on the release of in effectively de-identifying data. While
myki data by Public Transport Victoria the de-identification of data has, until
(PTV) of around 1.8 billion records of now, been relied upon as a means of
historical transport users’ activity to Data protecting data and enabling it to be
Science Melbourne for a Data Hackathon. used for secondary purposes, recent
PTV released the dataset on the basis advances in AI and data analytics tools,
that, according to PTV, the information combined with the increasing size of
was de-identified and did not relate to datasets, means that de-identification is
individuals. increasingly difficult to achieve.
However, OVIC found that, because the
data was released to the Data Hackathon
participants without any restrictions on
the use or onward disclosure of the data,
and because there were a number of
ways in which the data could be re-
identified (as described in separate reports
prepared by Data61 and academics
at the University of Melbourne), it was
reasonably possible to determine the
identity of a substantial portion of the
individuals whose travel movements
were included in the dataset.
MinterEllison Perspectives on Cyber Risk 2020 16Increasing regulatory enforcement A number of new regulatory trends emerged during 2019. In Australia, the ACCC has taken a more prominent role in the regulation of consumer data, and the first ever privacy class action was settled. Overseas, significant fines were imposed on organisations which had experienced large scale data breaches. MinterEllison Perspectives on Cyber Risk 2020 17
Australia
On 9 March 2020, the Australian and consumers. The Report included patients into thinking their information in the ACCC’s Digital Platforms Inquiry,
Information Commissioner issued recommendations to strengthen would be kept by HealthEngine and not and remain a top priority according
proceedings against Facebook Inc and requirements under the Privacy Act provided to third parties. to ACCC Chair, Rod Sims. These
Facebook Ireland Limited in relation to relating to the collection and use of proceedings are also a timely reminder
the “This is Your Digital Life” App, which consumer data. In particular, it highlighted In October, the ACCC took further for organisations to regularly review
allegedly sold personal information the importance of obtaining consent for action in relation to consumer data, and update their privacy and IT security
to Cambridge Analytica in relation to different purposes of data collection, use initiating proceedings against Google by policies to ensure they do not contain
the users and ‘friends’ of users who and disclosure. In December 2019, after alleging the company made misleading potentially misleading statements. These
installed the App. The Commissioner an extensive consultation period, the representations to users with Android actions, together with the ACCC’s Digital
alleges that Facebook did not adequately government published its response to phones about the collection of personal Platform Inquiry report, signal a trend
inform individuals about the way their the ACCC’s recommendations, including location data. It alleges that, in doing so, towards consumer-focused regulation
personal information could be disclosed amendments to the Privacy Act to Google has ‘collected, kept and used and privacy reform in Australia.
(including their friends’ information), strengthen penalties, as well as a broader highly sensitive and valuable personal
or take reasonable steps to protect the review of the Privacy Act, which is to information about consumers’ location Finally, to round out 2019, in December, it
security of the personal information occur over the course of 2020-21. without them making an informed was announced that the Supreme Court
from unauthorised disclosure. The case choice’. Google is accused of misleading of New South Wales had accepted the
is highly significant, as it could result in A month after the ACCC published consumers when it made on-screen settlement of the first ever privacy class
the first ever civil penalty being imposed its final report, it initiated proceedings representations about the data that action in Australia. The proceedings date
under the Privacy Act. At the time of in the Federal Court against online was collected, and how it was used. In back to 2017, when employees of New
writing of this report, Facebook has not health booking platform HealthEngine particular, Google had indicated that South Wales Ambulance alleged that a
filed a defence. for misleading and deceptive conduct location data would only be collected and former contractor of the organisation
relating to the publication of patient used for the consumer’s use of Google had sold the workers compensation
In July 2019, the ACCC published the reviews and ratings, and the sharing of services. However, the data was in fact files of 130 current and former NSW
Final Report of its ‘Digital Platforms patient information with third parties. used by Google for a number of purposes Ambulance staff to solicitors. The sum of
Inquiry’ which examined the impact The ACCC alleges that HealthEngine unrelated to the consumer’s use of these $275,000 will be allocated between 108
of digital platforms (including social provided personal information of over services. class members. Other proposed class
media and search engines) on the 135,000 patients to private health actions (in relation to the 2018 PageUp
supply of news and journalistic content. insurance providers for a fee, without Transparency and inadequate disclosures and Facebook Cambridge Analytica data
It also explored the implications of disclosing to consumers that it would do surrounding the collection and use of breaches) have not proceeded.
this for advertisers, content creators so. HealthEngine is accused of misleading personal information were a major focus
MinterEllison Perspectives on Cyber Risk 2020 18Overseas
Overseas, the last 12 months have seen The ICO proposes to fine British Airways were compromised in 2014. The ICO
an increase in regulatory action, and most £183.39 million, amounting to 1.5% of said that Marriott did not undertake
notably, substantial fines levied against the company’s worldwide turnover in adequate due diligence when it acquired
companies for breach of privacy and the 2019 financial year. The penalty Starwood, and should have invested in
related laws. In July 2019, the Federal relates to a data breach notified to the more secure systems. Commissioner
Trade Commission (FTC) handed down a ICO in September 2018, in respect of the Elizabeth Denham stated that the GDPR
US$5 billion fine against Facebook. This personal information of approximately makes it clear that organisations need
was the largest ever fine levied against a 500,000 customers. The ICO found that to be accountable for the personal data
company by the FTC, and 20 times higher poor security arrangements within the they hold. This includes carrying out
than the largest privacy data security company (including systems relating sufficient due diligence on organisations
penalty previously imposed worldwide. to log in, travel booking and payment) or businesses that are being acquired,
In the wake of the 2018 Cambridge rendered users’ information vulnerable and implementing stronger safeguards
Analytica scandal, the FTC alleged that to cyber attack. ICO alleges that British to protect personal information. The fine
Facebook had mishandled users’ personal Airways was under an obligation to proposed to be levied on a US company
information and was deceptive in relation protect user privacy, and did not take also highlights the global impact of the
to its ability to control the privacy of such appropriate steps to uphold fundamental regulation.
information. privacy rights. This fine is the largest
penalty announcement the ICO has yet The ICO investigated both incidents as
In the same month, the UK’s Information made. the lead supervisory authority on behalf of
Commissioner’s Office (ICO) issued two other EU Member State data protection
back-to-back notices of intention to fine The ICO also proposes to fine Marriott authorities. The ‘one stop shop’ provisions
British Airways and Marriott International, £99 million for a data breach which under the GDPR enable other data
respectively, for infringements under the involved the exposure of personal data protection authorities in the EU whose
GDPR. of approximately 339 million customers. residents have been affected by the data
The incident is said to have occurred breach to comment on the ICO’s findings.
after Marriott acquired Starwood
Hotels Group in 2016, whose systems
MinterEllison Perspectives on Cyber Risk 2020 19MinterEllison’s cybersecurity team can help you address and mitigate cyber risk Conduct independent cyber risk reviews and Board-level cyber risk assessments Review third-party supplier contracts to ensure that they appropriately address privacy and data protection issues, and do not inappropriately transfer cyber-related risks to your organisation. Develop, review and update data breach response plans as well as related policies and procedures, such as privacy and document retention policies. Understand how GDPR applies to your business and ensure compliance across the data life cycle Advise on privacy, data protection and cyber-related legal and commercial issues Develop and deliver cyber risk and privacy compliance tools through face-to-face and online training (including via award winning Safetrac online compliance system). Conduct privacy audits and impact assessments including in relation to cloud-based products and services. Plan for, respond to and rebuild from, a data breach or cyber incident including breach coach services (where MinterEllison leads the data breach response process). Advise on cyber insurance issues including assisting with cyber risk advice coverage issues, and strategic management of notifications and claims arising from cyber risk losses. MinterEllison Perspectives on Cyber Risk 2020 20
Get in touch with us
Paul Kallenbach Susan Kantor Anthony Lloyd Anthony Borgese Amanda Story
Partner Senior Assosciate Partner Partner Partner
M +61 412 277 134 M +61 407 545 091 M +61 411 275 811 M +61 400 552 665 M +61 423 439 659
E paul.kallenbach@minterellison.com E susan.kantor@minterellison.com E anthony.lloyd@minterellison.com E anthony.borgese@minterellison.com E amanda.story@minterellison.com
Cameron Oxley Leah Mooney John Fairbairn Vanessa Mellis Lisa Jarrett
Partner Special Counsel Partner Special Counsel Partner
M +61 417 103 287 M +61 421 587 950 M +61 410 475 965 M +61 434 658 811 M +61 448 880 530
E cameron.oxley@minterellison.com E leah.mooney@minterellison.com E john.fairbairn@minterellison.com E vanessa.mellis@minterellison.com E lisa.jarrett@minterellison.com
Nicholas Pascoe Christina Graves Stephen Craike Simon Lewis Ashish Das
Partner Special Counsel Partner Partner Partner
M +61 403 857 529 M +61 2 62251349 MinterEllison Consulting MinterEllison Consulting MinterEllison Consulting
E nicholas.pascoe@minterellison.com E christina.graves@minterellison.com M +61 415 592 802 M +61 418 320 011 M +61 424 289 204
E stephen.craike@minterellison.com E simon.lewis@minterellison.com E ashish.das@minterellison.com
minterellison.comYou can also read
