Another week another data breach as Uber revealed that it had been the subject of a data breach which resulted in the theft of personal information of approximately 57 million users. With the ever increasing reliance on technology to deliver most consumer services, these breaches are almost impossible to completely prevent. However, your reaction to these breaches could save your business millions of dollars, and how you respond will soon be further prescribed in Australian law.
The Uber breach took place in late 2016, where two hackers accessed its user data stored on a third-party cloud based service. Upon being alerted to the issue, rather than notify authorities and consumers impacted, Uber paid the hackers $100,000 USD to delete the data and keep silent regarding the attack.
It is not hard to see why they would be reluctant to disclose such a breach. At the time of the attack, Uber was the subject of various negotiations with US regulators who were investigating separate privacy claims, as well as settling a lawsuit with the New York attorney general and the Federal Trade Commission over data security disclosures and the handling of consumer data.
The OAIC has commenced inquiries with Uber regarding the impact of the breach in Australia, and this comes hot on the heels of a similar breach involving Equifax (formerly known in Australia as Veda), an international credit reporting body who also operate heavily in the Australian credit market.
Earlier this year, its American office announced that hackers had gained unauthorised access to their company data, potentially compromising the personal information of 143 million American consumers including their social security numbers and drivers licence numbers. Whilst the breach took place in America, Equifax may have transferred personal information between its American office and its wholly owned subsidiary Equifax (Australia), bringing with it the possibility of breaches of Australia’s privacy laws.
Again, the breach reporting was some time after the event - the incident taking place in June, identification in July but was not reported to the market until September 2017.
Notifying Data Breaches: Who, What, How?
Data Breach reporting requirements have been established in the US for some time and there are global developments, particularly in the UK and EU, regarding data breach reporting to both Regulators and consumers.
In Australia the OAIC's Mandatory Notifiable Data Breach Regime (NDBR) comes into force on 22 February 2018 and prevents businesses and agencies from concealing breaches if the breach is considered to result in serious harm to the affected person(s).
Pre-NDBR, businesses were not under a legal obligation to disclose the breach to the OAIC or the affected person(s). However, for Australian Financial Services licensees a data breach resulting in the theft of consumers' personal information would be considered to be a significant breach and reportable to ASIC.
Under the NDBR it will be compulsory for certain organisations to notify specific types of data breaches (Notifiable Data Breaches or ‘NDBs’) to individuals affected by the breach, and to the OAIC. A NDB is a data breach that is likely to result in serious harm to any of the individuals to whom the information relates.
The introduction of the NDBR is something that Australian businesses need to take seriously. There will be no time to wait and ‘test the water’ before making any changes to existing policies and procedures after 22 February 2018 - the penalties for failing to comply with the new legislation include fines of up to $420,000 for individuals and up to $2.1 million for organisations.
Data Breaches and Cyber Security
The ASX100 Cyber Health Check Report 2017 found that 80% of financial service providers expect cybercrime to increase over the next 12 months, highlighting the enormity and widespread nature of this issue.
Cyber Security refers to the body of technologies, processes, and practices employed in an organisation which are designed to protect networks, devices, programs and data from attack, damage, or unauthorised access. Cyber Security measures are generally designed to protect businesses from cyber risks, such as:
- data breaches
- denial of service attacks
- human error
- compromised systems
The issue of cyber resilience is often delegated to IT teams or outsourced providers. However, as indicated in "ASIC Report 555 Cyber resilience of firms in Australia’s financial markets", managing cyber risk is very much a corporate governance issue that can be managed through good corporate governance principles.
Developing an overall governance framework, which includes procedures to identify, protect, detect, respond and recover to a cyber-attacks, will assist any business to lay solid foundations as part of a robust cyber resilience program.
What is the Impact on Uber and Equifax in Light of the Breaches?
The Uber breach resulted from a hack of its third-party cloud based storage. Cloud based storage is a popular option for many businesses, and one which can be easily forgotten when considering your cyber security risks and controls. Equifax found that its systems had been compromised by hackers who had exploited a weak point in its website software.
Both Uber and Equifax will be scrutinised on all aspects of their governance frameworks, including the systems, processes and procedures that they implemented to identify, protect, detect, respond and recover to a cyber-attack. The end effect on Uber is yet unknown but the breaches do highlight some key areas for concern, adding weight to those pushing for even tighter legislative change in this area.
What Should You Do?
With high profile cybercrime on the rise, the law, and indeed the industry regulators, will expect Directors and Executive Officers to ensure they are active and effectively overseeing and leading risk management. Cyber security is a business-wide problem which requires strategic and operational leadership from the top down.
Now is the time to start assessing your cyber security risks and controls to ensure that you are well placed to meet the requirements of the NDBR.
As noted by the Information Commissioner in a recent statement “It is...a timely reminder to Australian businesses and agencies of the reputational value of good privacy practice, and the reputational risks that can follow mishandling of personal data . “
Cyber security is more than just a tick-box risk, and the cases of Uber and Equifax only highlight the justification for Boards to allocate resources to systems and procedures to protect their data, their customers and themselves from any significant liabilities.
 Statement 22 November 2017, OAIC website