A cyber breach can be a harrowing ordeal, especially if you are unsure what to do in response. However, being proactive and prepared will make an enormous difference in your response and help reduce the impact of consequent financial and reputational damage. A future-proof cyber incident response covers patching and restoring compromised systems, but also spans the forensics of your environment, remediation of identified risks, and addressing legal obligations.
In this piece, we have teamed up with Hall & Wilcox lawyers to help you learn the intricacies and best practices for a cyber incident response scenario you may find yourself in.
Know Your Legal Obligations
An organisation that collects, uses, discloses and holds personal information, as defined in the Privacy Act 1988 (Cth) (Privacy Act) should do everything it can to safeguard that personal information. Safeguarding personal information includes having the best data security systems to protect personal information as well as understanding and complying with the legal framework that regulates the collection, use, disclosure and management of personal information.
A failure to understand and comply with the relevant legal framework means that an organisation faces greater potential exposure to having the personal information it holds accessed unlawfully by cybercriminals. This could expose the organisation to significant reputational harm and the loss of the trust of customers and clients and direct financial loss to the organisation.
A failure to comply with the law will also expose the organisation to complaints, legal action and penalties for failing to comply, and may leave the organisation with little or no legal defence if personal information is unlawfully accessed and stolen.
Notifiable Data Breach Scheme
Organisations required to comply with the Privacy Act need to comply with the notifiable data breach scheme. This means that such an organisation that experiences an eligible data breach will have an obligation to notify the Australian Information Commissioner and affected individuals of the breach.
Understand what has been exposed – what is an eligible data breach?
An eligible data breach occurs where there is unauthorised access to, unauthorised disclosure of, or loss of, personal information held by an organisation and a reasonable person would conclude the access, disclosure or loss is likely to result in serious harm to any of the individuals to whom the information relates. An example of a data breach includes where a database containing personal information is hacked.
If an organisation is aware that there are reasonable grounds to suspect it may have suffered an eligible data breach, it must carry out a reasonable and expeditious assessment (within 30 days of forming the suspicion of the breach) of whether the relevant circumstances amount to an eligible data breach. However, where remedial action is taken by the relevant organisation following a data breach so that serious harm does not occur to an individual, and a reasonable person would conclude that serious harm is not likely, there will not be an eligible data breach.
When does serious harm occur?
Serious harm may include serious physical, psychological, emotional, economic and/or financial harm, as well as serious harm to reputation. When considering whether the access, disclosure or loss would be likely to cause serious harm, regard should be had to various factors including:
- the kind(s), and sensitivity, of the information;
- whether the information is protected by security measures (e.g. by a password) and the likelihood of such measures being overcome;
- the persons or kinds of persons who have obtained or could obtain the information; and
- the nature of the harm.
Notification obligations if there is an eligible data breach?
Under the notifiable data breach regime, an organisation that has reasonable grounds to believe it has experienced an ‘eligible data breach’ must:
- prepare and provide to the Australian Information Commissioner, as soon as is practicable after becoming aware of the breach, a statement (Notification Statement) setting out:
- the organisation’s identity and contact details (and, where the breach also relates to a different entity, the Notification Statement may also set out the identity and contact details of that entity);
- a description of the breach;
- the kind(s) of information impacted by the breach; and
- recommendations about the steps affected individuals should take in response, and
- as soon as practicable after preparing the Notification Statement:
- if practicable, take steps reasonable in the circumstances to notify the individuals to whom the relevant information relates or who are otherwise at risk from the breach, of the content of the Notification Statement; or
- if not practicable to notify the relevant individuals, publish a copy of the Notification Statement on the organisation’s website and take reasonable steps to publicize the contents of the Notification Statement.
Prepare for a Data Breach – Data Breach Response Plan
The best defence is to prevent a breach from occurring at all and for this reason (as already required by the Privacy Act) organisations must ensure there are adequate security measures in place to protect personal information. However, in a world in which data breaches are increasingly common and appear inevitable, organisations can prepare a data breach response plan, identify personnel responsible for implementing the plan and ensure personnel (including contractors) are aware of the plan.
At a high level, a data breach response plan should:
- set out ways to:
- contain the breach (e.g. shutting down websites, disabling access etc); and
- identify the scope and effect of the breach (e.g. what information, and who, has been affected; how are individuals affected; what was the source of the breach etc); and
- determine whether serious harm has occurred or is likely to occur; and
- determine if a notification obligation exists and if so, prepare and provide a Notification Statement and comply with other notification obligations;
- identify ways in which to prevent future breaches, for example, reviewing their privacy and security governance arrangements to appropriately foster a security awareness culture throughout their organization.
An organization should also provide for the training of personnel on their obligations concerning handling data breaches and general security obligations and the responsibilities each employee has in assisting the organisation to comply with those obligations.
The data breach response plan should provide for a Response Team to conduct the initial investigation into the identified or suspected data breach by gathering any necessary information and making initial recommendations. The Response Team should consider the following preliminary questions, to ascertain the nature and extent of the breach or suspected data breach:
- What personal information does the breach or suspected breach involve?
- What was the cause of the breach or suspected breach?
- What is the extent of the breach or suspected breach?
- What are the harms (to affected individuals) that could potentially be caused by the breach or suspected breach?
- How can the breach or suspected breach be contained?
To protect legal privilege about the investigation, the Response Team should instruct legal advisors to advise on the matter and ensure that all external consultants, such as IT incident responders and forensic IT analysts are engaged by those legal advisors.
The Response Team will also consider whether there is a need to develop a communications or media strategy to manage public expectations and media interest.
Stop the Bleeding
When a data breach is discovered, there is no time to dwell on what would have happened if security protocols had differed, although a review of what went wrong will be important once you have responded to the emergency (step 4 of the data breach response plan).
The organisation should have its data breach plan in place and be ready to respond promptly while maximising its ability to protect the confidentiality of its investigation. Otherwise, the financial and reputational damages can snowball, as cybercriminals get more time to mine data, install backdoors, inject malware, and in some cases release ransomware onto your network – completely exhausting your organisation’s ability to operate.
Containment must happen fast. The consideration here revolves around the Response Team working with capable cybersecurity and legal advisors expert in privacy law. These partners will help identify the root cause of the incident – assessing activity logs and providing remediation strategies promptly.
When in doubt, always work with professionals.
Getting Back to Business as Usual (BAU)
This begins with cyber forensics to understand what went wrong so the Response Team can paint a roadmap back to BAU while patching all vulnerabilities connected to the breach. Equally important is to devise an effective communications strategy to ensure your stakeholders are made aware of what has been breached. At the end of the day, it could be their data that you are exposing, which they have every right to know what has happened.
Notify, Communicate, Disclose
As experts say, the worst possible event is what happens post-breach. Therefore, as well as complying with statutory obligations to notify, organisations should consider the need to notify stakeholders of the breach (such as PII, PCI, credentials) and what the potential impact is for them. An organisation will probably also have to report data breaches to its Board. Take care to keep in mind if the matters being reported are the subject of legal privilege, and if so, ensure your legal advisors assist.
“A data breach itself is the second-worst possible event that can occur in an organisation; the mismanagement of the response and communication is the worst.”
Find What’s Barring You from Safety
Once an organisation has recovered from the incident, it is time to thoroughly review what happened. The organisation must seek to learn from past mistakes to pave its way to fortifying defences, improving compliance levels, and ultimately, strengthening its security posture. It is key to be broadcasting culture of ‘privacy and security first’ across all departments and verticals.
Develop a Strong Baseline
Protecting against a cyber incident is a full-time job. Only a strong baseline through continuous education, monitoring, and threat detection can help you focus on growing the organisation.
Organisations may start with action items such as toughening endpoints, login credentials, and security Q&As; in parallel with implementing staff education on privacy law compliance, and nurturing cyber awareness to prevent similar issues in the future. Remember, staff, are your first line of defence against cyber threats.
CTRL Group believes utilising a 24×7-based monitoring tool is the most effective measure an organisation can take in stopping future attacks. By doing so, you extend your cyber capabilities by having non-stop surveillance over your assets, and someone to track all activities and rapidly respond to suspicious events.
Find your allies. Staying safe in the world of cyber can be a rough journey.