New Data Breach Law Drives Australia’s Cyber Security Focus

A new mandatory data breach notification law has come to Australia. Effective in early 2018, if not sooner, the new law will require businesses to notify serious data breach incidents to the Australian Information Commissioner and customers whose data has been compromised. This should place cybercrime high on Australian boards’ agendas and drive the revamping of existing cyber security systems. [1]

The urgent need for Australian enterprises to adopt - and consistently maintain - robust and modern cyber security strategies and tools is becoming ever more acute given the following four global trends:

• Significant spend by governments and global enterprises’ on cyber security initiatives.
• Increased regulation requiring data breach incident reporting with hefty fines and potentially enormous other costs.
• Rising cybercrime is expected to cost the world more than US$6 trillion per year by 2021.
• Dire cyber security skills shortage expected to continue into 2020.

Mandatory transparency finally arrives Down under

The Australian government has so far admitted to being blind to the true extent of cybercrime’s impact on local industry. According to the Australian Cyber Security Centre (“ACSC”), it lacks a clear view of cyber security incidents suffered by Australian businesses because they are not sufficiently reported on the current voluntary basis. [2]

Meanwhile, the government’s cyber security strategy (unveiled in April 2016), allocated A$230m to various initiatives over four years. However, experts warn that while the government acknowledges the issue, it severely underestimates the scale and urgency of the problem and question whether the Government’s spend is in fact enough. [3]

The US government cybersecurity budget is 400 times bigger and the UK government’s 10 times bigger than Australia. The US government announced in February 2016[4] that it would invest over US$19 billion in cybersecurity. US corporations have also increased cybersecurity budgets in the war against hackers - J.P. Morgan Chase doubled its annual cybersecurity budget to half a billion USD[5]; Bank of America said it has an unlimited budget for combating cybercrime[6]; and Microsoft said it would invest over US$1 billion annually on cybersecurity research and development in the coming years.

As Donald Rumsfeld might surmise, “there are also unknown unknowns...things we don’t know we don’t know”; the new Australian data breach notification law, finally passed by the Senate on 13 February 2017, is a step in the right direction to bring us in line with the prevailing thinking and approach to this issue in the US and Europe.

Regulated Australian entities will now be required to report "eligible data breaches" to the Privacy Commissioner and to affected individuals. Impacted entities include businesses with annual turnover exceeding A$3 million, health service providers, Commonwealth Government agencies, credit providers and credit reporting bodies. An entity that fails to comply with the notification obligation may face penalties of up to A$1.8 million.

The US has had mandatory data breach notification laws for 15 years (first introduced in in California in 2002[7] and later in over 30 other US States). This has brought about far more transparency and awareness but also prompted a significant number of class actions against corporations involved in data security breaches. Some of those class actions resulted in striking financial and reputational costs topping US$200 million[8].

In Europe (and the UK), organisations are preparing for the new General Data Protection Regulation (“GDPR”), commencing in May 2018, which will introduce an onerous data breach notification regime with far-reaching financial consequences. Currently, the UK regulator (the ICO) can issue fines of up to £500,000 for serious breaches of the UK’s Data Protection Act. The GDPR will however increase potential fines to 4% of global annual turnover for the preceding year or €20m. Importantly, the GDPR will impact companies based outside the EU who target EU consumers, and so global Australian companies with relevant EU operations would be caught by those provisions.

The cybercrime pandemic & its extraordinary costs

Our ever more digitised world is seeing a dramatic rise in cybercrime, ransomware and malware on smartphones and mobile devices (not only PCs and laptops). There are also billions of under-protected Internet of Things (IoT) devices deployed, armies of hackers-for-hire and sophisticated cyber-attacks launched at businesses, governments, educational institutions, and consumers globally [9].

According to leading cybersecurity market intelligence agency, Cybersecurity Ventures, cybercrime will continue to rise and cost businesses globally more than $6 trillion annually by 2021. Companies will not only incur the cost of data damage and destruction, stolen money, IP theft, business disruption and reputational harm. Other costs, such as legal and PR fees, share price plunges which impact valuations, interruptions to e-commerce, customer churn and loss of competitive advantage can also impact organisations affected by cybercrime.

Globally, the biggest data breaches have so far occurred in the US, with the UK lagging not too far behind[10]. Some of the more infamous UK incidents involved Sports Direct (in early 2017) where employees data was compromised; Three Mobile, one of Britain's largest mobile operators, who revealed a major data breach in 2016 that put millions of its customers at risk; Tesco Bank hacked in 2016 with money stolen from 20,000 customer accounts; and - last but not least - the UK telco Talk Talk who suffered a data breach[11] that resulted in the highest ever fine (400,000 GBP) issued by the ICO in 2016 and cost the company a total of £80 million and 100,000 lost customers.

Data breaches in Australia

Australia led the APAC region in reported data breaches in 2016[12]. In its latest Threat Report, the ACSC counted 1,095 serious security incidents affecting Australian government systems, and 14,804 affecting private business in the 12 months to June 2016. But there may well have been others which remain undisclosed. Reported incidents in Australia over the past two years included:

• NAB accidentally sent 60,000 customers’ personal details to the wrong website last December[13]
• Big W experienced a customers’ personal data leak in November 2016[14]
• the Red Cross Blood Service was exposed online in the country’s biggest and most damaging data breach to date with 1.28 million donor records going back to 2010 published to a publicly-facing website in October 2016[15
• David Jones’ website was hacked in October 2016 exploiting a vulnerability and resulting in stolen customer information[16]
• Kmart Australia saw customer data stolen by hackers in October 2015 [17]; and
• Telstra's Asian subsidiary, Pacnet, was hacked in May 2015 in an attack affecting thousands of customers including The Australian Federal Police, Department of Foreign Affairs and Trade and other government agencies.[18]

According to Kaspersky Lab ANZ[19], Australia records one of the highest global rates of online banking cybercrime threats, in addition to being one of the highest rates in the world for mobile banker Trojan penetration (second only to Russia). Those alarming statistics show that we are not immune to the issue and highlight the importance of catching up with the cybersecurity landscape and understanding the necessity of protecting organisations and their customers’ data.

The cyber skills shortfall [20]

The global cyber security market is forecast to be worth US$120 billion in 2017 and rise to US$1 trillion by 2020[21]. Cybercrime fueled a cyber security market explosion over the past five years, leading to to one million cybersecurity job openings in 2016. All signs point towards a prolonged cybersecurity workforce shortage through at least 2021. [22]

The lack of cyber security professionals is felt more acutely in Australia than in other countries, according to a report by US think tank published late last year[23] that predicts 17% of cybersecurity positions advertised would go unfilled by 2020. The most lacking cyber security skills are said to be intrusion detection, software development and attack mitigation. This skills shortage, coupled with the fact that 44% of Australian businesses think they are a hacking target due to limited cyber security, leaves Australian businesses highly exposed.

Change is mandatory to retain consumer trust

In financial services, customer trust is a particularly important asset. As concluded by Capgemini in their “Currency of Trust Report”:

“Banks and Insurers have reaped a perception dividend on privacy and security issues that other industries have not enjoyed. However, this advantage is under threat as transparency increases and consumers become more aware of breaches that do occur. If organizations do not take proactive steps to enhance security and privacy, consumers will quickly realize that their high levels of trust are perhaps misplaced, with significant consequences for the sector. Banks and insurers should...reinforce their cybersecurity defense program with state-of-the art security intelligence and breach detection capabilities.” [24]

Effective and continuous cyber risk management is about more than just innovative technologies. It involves the integration of business objectives with security and privacy priorities across the enterprise. This, in turn, requires active board involvement and empowering the CIO (or CISO) to bring security to the top of the company’s strategic agenda with a focus on the necessary skills, resources and re-engineering.

Privacy and security principles should be baked into the company’s culture via DevSecOps best practices. Instead of a bolted-on after-the-fact set of gates and checkpoints, security must be part of the application development process.

Companies should embrace cloud adoption, software defined networks, encryption (in transit and at rest) and secure API’s over brittle and outdated in-house developed infrastructure that has never been tested in the wild. Security auditing, monitoring and notification systems must be managed and deployed so that they can be continuously enhanced, to keep in step with the frantic innovation intrinsic to cybercrime. Finally, engaging specialist security & DevOps training organisation(s) to raise staff skills and awareness are essential for maintaining consumer trust in this precarious future.

References:

1. http://www.afr.com/technology/data-breach-notification-laws-force-business-cyber-security-revamp-20170214-guck22
2. http://www.cio.com.au/article/608394/gov-blind-true-cyber-threat-australian-industry/
3. http://www.computerweekly.com/news/450297914/Australia-knows-it-has-a-cyber-security-problem-but-not-the-scale
4. https://obamawhitehouse.archives.gov/the-press-office/2016/02/09/fact-sheet-cybersecurity-national-action-plan
5. https://www.forbes.com/sites/stevemorgan/2016/01/30/why-j-p-morgan-chase-co-is-spending-a-half-billion-dollars-on-cybersecurity/#584c34142599
6. https://www.forbes.com/sites/stevemorgan/2016/01/27/bank-of-americas-unlimited-cybersecurity-budget-sums-up-spending-plans-in-a-war-against-hackers/#163c712d264c
7. http://www.alrc.gov.au/publications/51.%20Data%20Breach%20Notification/models-data-breach-notification-laws
8. http://www.kwm.com/en/au/knowledge/insights/data-breach-class-actions-us-developments-and-implications-for-australia-20140930
9. http://cybersecurityventures.com/cybersecurity-market-report/
10. http://www.techworld.com/security/uks-most-infamous-data-breaches-2016-3604586/
11. http://www.information-age.com/cost-talktalks-security-breach-has-doubled-nearly-80-million-123460885/
12. http://www.cio.com.au/article/607231/australia-leads-apac-data-breaches/
13. http://www.abc.net.au/news/2016-12-16/nab-accidentally-sends-60000-overseas-banking-details/8127794
14. https://www.itnews.com.au/news/big-w-shutters-online-shopping-after-data-leak-441236
15. https://www.itnews.com.au/news/australias-biggest-data-breach-sees-13m-records-leaked-440305
16. http://www.cio.com.au/article/585895/david-jones-website-hacked/
17. https://www.itnews.com.au/news/customer-data-stolen-in-kmart-australia-privacy-breach-409944
18. http://www.afr.com/business/telecommunications/telstraowned-pacnet-hit-by-major-data-breach-20150520-gh5tno
19. http://www.afr.com/business/telecommunications/telstraowned-pacnet-hit-by-major-data-breach-20150520-gh5tno
20. http://www.computerweekly.com/news/4500272107/The-need-for-cyber-security-skills-in-Australia-balloons
21. http://cybersecurityventures.com/cybersecurity-market-report/
22. http://cybersecurityventures.com/jobs/
23. http://www.cio.com.au/article/606319/australia-hardest-hit-globally-by-cyber-security-skills-shortage-report/
24. https://www.capgemini.com/resources/the-currency-of-trust-report