Don’t join the 245 that were hit by a notifiable data breach

In our article dated 19 February 2018, we discussed the risks to your organisation that may occur from a data breach or cyber attack, and we suggested some steps that you could take to minimise that risk.

This article examines recent trends in cyber attacks and data breaches and what steps should be taken to minimise the risk of them occurring.

The Office of the Australian Information Commissioner reported that in the period between 1 July 2018 and 30 September 2018, 245 data breaches were notified in accordance with the requirements of the Privacy (Notifiable Data Breaches) Act 2018 (Cth) ¹

Of those breaches:

Importantly, the second largest category of data breaches related to human error which included:

• sending an email, fax, or letter to the wrong recipient;
• failing to use the ‘bcc’ option on group emails;
• loss of paperwork; and
• loss of a data storage device.

The vast majority of data breaches involved either disclosure of contact information or financial information in relation to an individual.

The cyber insurance market is still relatively new in the Australian market but it is an area of significant growth. 

It is becoming more common for organisations to need to demonstrate that they have appropriate cyber security measures in place, and appropriate insurance cover, when tendering for work.

Whilst the number of cyber insurance policies taken out in Australia continues to increase steadily, there have only been a limited number of claims to date.

Although your organisation may already have cyber insurance in place, you cannot be complacent.

As the number of claims (inevitably) increases, policy wordings will be reviewed by insurers and further exclusion clauses will appear in cyber policies. Cyber wordings are changing regularly. You may find the coverage changes from policy to policy. Management and D&O policies are also changing in their treatment of cyber risks, which are now starting to be identified as governance issues in some cases.

You need to review the wording of your organisation’s current cyber policy carefully as it is likely to require that your organisation take reasonable measures to avoid cyber breach and data attack.

At this early stage, there is no judicial guidance available as to what will be considered to be reasonable measures.

At the very least, your organisations IT manager or external IT provider will need to ensure that your IT system is protected, as far as practicable from cyber attack.

Given the level of data breaches caused by human error, staff training is vital and is likely to be taken into account when insurers consider whether or not your organisation has taken reasonable measures to avoid a data breach of cyber attack.

Key areas that staff can be trained in to avoid your organisation being subject to a data breach or cyber attack are outlined below.

Staff should be instructed to:

• report any suspicious emails to IT immediately and not to open them;
• Not to click on links in emails from an unrecognised source;
• Double check before sending an email that it is addressed to the correct recipient;
• Use the ‘bcc’ function when sending group emails;
• If instructed that an organisation has changed its bank details, check with the contact person at that organisation prior to implementing the change;
• Report the loss of either paperwork or mobile devices to the IT department immediately it is suspected that they are lost or stolen;
• Strengthen the security settings on mobile devices;
• Instruct staff to avoid using their devices in WIFI hotspots unless absolutely necessary;
• Delete any data which it is no longer necessary for your organisation to retain;
• Ensure that all staff attend training sessions in relation to cyber breach and data security and confirm their attendance in writing and keep a record of their attendance on a centralised register; and
• Keep staff updated on changes and developments in your organisations security measures.