The Notifiable Data Breach (NDB) Scheme commenced in Australia over eight weeks ago on 22 February 2018. Since then we have seen an ongoing issue with Facebook and Cambridge Analytica misusing personal information, as well as 63 data breach notices filed with the Office of the Australian Information Commissioner (OAIC), as reported in their first quarterly report (OAIC Report) since the introduction of the NDB scheme.
Background to the NDB Scheme and OAIC Report
A data breach occurs when personal information is lost or subject to unauthorised access, modification, disclosure, or other misuse or interference. For all organisations, data breaches are not limited to hacking or cyber attacks on systems. More commonly, data breaches occur due to internal human errors or a failure to follow information handling policies that result in personal information being inadvertently lost or disclosed to the wrong person. This was revealed in the OAIC Report which disclosed 114 voluntary notifications in the 2016-2017 financial year, 51% of which were caused by human error, the majority of these were caused by inadvertent disclosure.
In our previous NDB Update article, we detailed how the NDB Scheme is designed to prevent organisations from concealing "eligible data breaches" where it is believed that the breach is likely to result in serious harm to the affected person(s). However, it is important to note that not all data breaches require notification under the NDB Scheme.
The NDB Scheme requirements only apply to an organisation with any of the following attributes:
- those with an annual turnover of more than $3 million
- TFN recipients – any entity or person who is in possession or control of a record that contains TFN information
- entities that disclose personal information overseas
- entities that disclose credit eligibility information to other entities who do not have an Australian link
- credit reporting bodies
- credit providers.
Additionally, a data breach does not need to be notified if:
- remedial action is taken to contain a suspected data breach, and the remedial action is successful in preventing the likelihood of serious harm occurring.
- the data breach cannot be successfully remedied but it is believed that no serious harm could result
- you are unsure if the data breach has been successfully remedied or whether serious harm will result, but it is reasonable to suspect that it might, you have 30 days to determine this, before you need to report.
None of those factors preclude a voluntary notification by the organisation to the OAIC. In the OAIC Report for the 2016-2017 financial year, there were voluntary reports of 114 data breaches. The five top sectors notifying data breaches included:
- health service providers (24%)
- legal, accounting and management services (16%)
- finance (13%)
- private education (10%)
- charities (6%).
The majority of data breaches noted in the OAIC Report involved contact information (78%), tax file numbers and financial details (30%) and health information (33%).
Facebook and Personal Information
A data breach can affect any organisation, regardless of size. In a stark example of personal information misuse and potential data breach, Cambridge Analytica, a data analytics firm, used personal information harvested from more than 50 million Facebook profiles without permission to build a system that could target US voters with personalised political advertisements based on their psychological profile, according to whistleblower Christopher Wylie, a former Cambridge Analytica contractor who helped build the algorithm.
The company collaborated with the developer of a Facebook app, thisisyourdigitallife. About 270,000 people downloaded the personality quiz app, which collected their profile information, as well as information from their friends' profiles, potentially affecting data harvested from over 50 million Facebook profiles. Cambridge Analytica has denied any wrongdoing and said that the business tactics it used are widespread among other firms, while Facebook ran ads in several major UK and US newspapers apologising for the data breach, and said it was investigating other applications that had access to large amounts of user data.
According to The Guardian, Facebook had been warned about its data security policies for a number of years, and had known about this particular data breach since 2015. Investigators from Britain’s data watchdog raided Cambridge Analytica’s London offices, and the main consumer protection body in the US is reported to have opened an investigation into whether Facebook has violated privacy agreements.
According to a statement from the OAIC released on 20 March 2018, it is aware of “the reports that users’ Facebook profile information was acquired and used without authorisation.” It announced on 5 April 2018 that it has also launched an investigation into the incident, focusing on whether Facebook has breached the NDB provisions in the Privacy Act 1988 (Cth).
Current Reports Under the NDB Scheme
The large number of breaches that have been reported since the NDB Scheme came into operation may seem alarming, and perhaps it is, and while some of those notices concerned breaches which occurred before the new regime came into force, it does suggest that Australian organisations are taking their new obligations seriously.
Shipping company, Svitzer Australia, which was alerted in March 2018 of a sustained breach in their internal email communications between May 2017 and March 2018, has featured in the list of current breaches. The breach led to 50,000 - 60,000 internal emails being secretly forwarded to someone outside of the organisation. These internal emails may or may not have contained employee information such as tax file numbers, superannuation numbers and employees' next of kin.
In addition to this update, in a recent CSO article, the personal details of approximately 150 million users of Under Armour’s MyFitnessPal app were compromised after criminal hackers acquired usernames, email addresses and hashed passwords. Although payment card data was not involved, it is likely to be one of the biggest hacks in history so far.
Handling a NDB
Once an organisation forms the view, based on reasonable grounds, that there has been a NDB, it must:
- prepare a statement in accordance with the Act, and
- give a copy of the statement to the OAIC as soon as practicable after the organisation becomes aware of the NDB.
The organisation must notify the contents of that statement to the affected individuals as soon as practicable.
For Australian organisations, the requirements of the NDB Scheme highlight the importance of having policies and procedures to protect personal information they possess, and ensuring that all employees are trained in their use.
The Impact of the GDPR
To further complicate notifiable breach obligations, all organisations who have an establishment in the EU, offer goods and services in the EU, or monitor the behaviour of individuals in the EU should also be aware of the compliance date of the GDPR, which is due to commence on 25 May 2018. The GDPR is aimed at the protection of the personal data of persons residing in the EU, and according to Article 4, personal data means "any information relating to an identified or identifiable natural person". The definition broadly covers every small detail through which a person can be identified such as name, address, telephone number, photos, email id, IP addresses, cookies, genetic data, and biometric data.
This means the GDPR will have a much wider reach compared to any other data protection regulations around the world, meaning affected organisations will need to take account of the GDPR:
- strengthening EU residents’ rights concerning their personal data, meaning organisations need to take greater steps to accommodate individuals. This includes collecting as little information as possible, letting individuals know why data is being used and permitting them to access it or request that it be amended or erased, and
- mandating that organisations take steps to mitigate the risk of data breaches and respond appropriately if they are breached. This involves both organisational and technological measures. For example, organisations need to conduct data protection impact assessments when introducing new processes, systems and technology, and certain organisations need to appoint a data protection officer to oversee GDPR compliance. Organisations also need to pseudonymise and/or encrypt personal data and conduct regular penetration tests.
There are many other flow-on effects for organisations affected by the GDPR including:
- consent - which cannot be assumed under the GDPR. It is mandatory to obtain consent in a specific manner; it must be understandable to a person who is not proficient in the field of law or technology.
- children's data - personal data of children can prove to be more sensitive in nature in certain circumstances especially when they interact over the internet. Therefore, the parent or guardian or such other person that holds "parental responsibility" of a child below the age of 16 years, shall act on behalf of the child for the purpose of providing or withdrawing the consent. While the GDPR allows a member state to lower the age limit below 16 years, it must be noted that the age limit cannot be lower than 13 years.
Similar to the Australian NDB Scheme provisions, under the GDPR any organisation collecting, storing or processing the data of EU residents is required to inform the relevant data protection authority regarding any kind of data breach within 72 hours of it being known. Failure to comply with the notification requirement attracts a penalty against the organisation of the higher of 4% of its global turnover or €20 million, whichever is the higher.
To go back to Facebook in the current congressional hearing, they have been reticent about how the GDPR will be applied to citizens outside of Europe or whether it will be applied at all in these cases.
Impact of IT Security Policies
According to Australia's recent IT Security Study, nearly half of the Australian organisations who are required to comply with the NDB provisions lack suitable IT security policies, and 57% haven't completed any sort of IT risk assessment in the past year. Protecting personal information, as mandated by the NDB Scheme, requires all organisations to be paying attention to any mobile or internet solutions that they are running, implementing and planning for, and to conduct a risk assessment in regards to IT security.
Some key risk protection measures for organisations could include:
- Prevention of communication interception e.g. man in the middle attacks, via public unsecured WiFi, Bluetooth, even fake cell phone towers (aka stingrays) which spoof 2G/3G/4G connections.
- Preventing physical device access through tactics such as strong password policies, enforced encryption, geotracking and geofencing.
- Ensuring device compliance with policies that are suited for your organisation, industry, and types of device usage. This may include enforced separation of work and personal data and apps, to reduce the risk and liability of the business.
What Organisations Should be Doing Now
Privacy Awareness Week 2018 (PAW) is celebrated in Australia from 13-18 May 2018. Combined with the introduction of the NDB Scheme, PAW reinforces the message that organisations must take privacy and data protection seriously. Monetary penalties for failing to comply with the new NDB Scheme are up to $360,000 for individuals and $1.8 million for organisations. And as the issues with personal information access via Facebook show, organisations should also look closely at their cyber security policies to prevent any data breaches from occurring in the future. They should also make sure their guidelines for handling personal information are clear and all staff are trained in their use, to embed behavioural and cultural change to prevent employee negligence - a root cause of data breaches.