Weathering the Storm: Cybersecurity and managing information in the wake of the Optus & Medibank privacy data breaches

Historically, businesses have kept documents to ‘be on the safe side’.  But, as we now see in the wake of last year’s Optus and Medibank data breaches, this approach is not without its risks.  As we rely more and more on computers and networks for our day-to-day business activities, so too does the sophistication, frequency and harm of cyber incidents grow.  ​In this article, we explore the various legislative requirements that cover the collection, security and retention of information, and the lessons emerging from the Optus and Medibank data breaches.

High-profile data breaches

While investigations are ongoing into the Optus and Medibank data breaches, we all know someone who has been affected.  But these are certainly not the first high profile hacks to expose very personal information of Australians.

• In 2018, the Australian National University fell victim to a highly sophisticated spear-phishing cyber-attack affecting 200,000 students, where sensitive information dating back 19 years was accessed, including names, addresses, phone numbers, dates of birth, emergency contact details, tax file numbers, payroll information, bank account details and student academic results.
• In 2019, Australian unicorn, Canva, suffered a data breach impacting 137 million of its users, including usernames, names, email addresses, passwords, and payment data.
• In 2020, 47 Service NSW staff email accounts were hacked through a series of phishing attacks, leading to 5 million documents being accessed, 10 percent of which contained sensitive data impacting 104,000 people.
• In 2021, Tasmanian Ambulance communications network was hacked, and every person requesting an ambulance between November 2020 and January 2021 had personal information posted online, including HIV status, gender, age and address of the emergency incident.

These events underscore the urgency of assessing the vulnerability of our information management systems and our privacy and data breach procedures

The World Wide Web: Convenience & Insecurity

The World Wide Web is the single most important platform for doing business in modern times.  It was invented in 1989 by an English scientist as a catalogue for scientists in different locations around the world to easily find and view data. At that time, the Web was not seen or used as a place to store personal information, but as a platform designed for openness and flexibility.  Accordingly, security concerns were minimal.

Fast forward three decades to a time when we all carry our own personal computers connected to the World Wide Web on which we do everything from verifying our identity to paying our bills to making real time investments.  Understanding cybersecurity is therefore critical to business’ risk management approach and regulatory compliance. While we need not be experts, we do need to know how to keep our clients’ information safe to comply with our legal obligations.

Regulatory spotlight: Privacy & Cybersecurity

Information that is required to be collected and retained by licensees in the provision of financial and credit services encompasses ‘personal information’ as defined under the Privacy Act[1].

‘Personal information’ means information or an opinion about an identified individual, or an individual who is reasonably identifiable.

For example:

• financial service licensees giving personal advice to retail clients collect information about objectives, financial situation and needs of the client, which may include questionnaires about salary, investments and health, superannuation statements, tax returns, etc.
• credit assistance providers collect information about consumers’ requirements and objectives and financial situations, which may include credit reports, bank statements, loan statements, payslips, tax returns, etc.
• non-bank lenders collect information about the corporate customer – known as KYC – including information identifying beneficial ownership and control structure of corporate entities, which may include identification documents such as the results of online person searches, passport, driver’s license, etc.

So, as well as having obligations under the financial and credit services regimes in relation to information collection and retention, licensees owe separate and additional obligations under the Privacy Act.

Privacy reform

Recent privacy reforms were fast-tracked in response to the Optus and Medibank data breaches via the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (Cth).  These reforms built upon the significant reforms passed in 2018 which considered the fallout from the 2018 Cambridge Analytica scandal[2] and notably introduced the Notifiable Data Breaches scheme.  In its most recent report on the scheme, the OAIC noted that financial services were the second highest source of reporting entities.

The recent privacy reforms include:

• extended territorial reach of the Privacy Act to Australians’ data even when used by foreign companies
• increased penalties under the Privacy Act for serious or repeated interferences with privacy, which for a company will by the greater of $50 million, 3 times the benefit obtained from the breach or 30% of the company’s revenue during the period
• expanded enforcement powers​ for the Office of the Australian Information Commissioner, including infringement notices and post determination orders for independent advice and publication relating to the breach conduct
• greater information gathering and sharing powers for the OAIC and the Australian Communications and Media Authority, including sharing information with other authorities and for the OAIC publishing information in the public interest
• strengthened Notifiable Data Breaches scheme permitting the OIAC to request information and documents about actual or suspected eligible data breaches for compliance assessments

Prioritising cybersecurity

Alongside its commitment to privacy reform, the federal government has since 2017 allocated cyber security to a ministry and created a single point of advice and support on cyber security, the Australian Cyber Security Centre.  One of ASIC’s four newly released strategic priorities for the next four years is technology risk, which it defines as:

“Focus on the impacts of technology in financial markets and services, drive good cyber-risk and operational resilience practices, and act to address digitally enabled misconduct, including scams”.

In its recent case against RI Advice,[3] ASIC alleged breaches of section 912A(1) of the Corporations Act regarding the licensee’s failure to have and implement policies, procedures, resources and controls which were reasonably appropriate to adequately manage cybersecurity and resilience risk.

RI Advice engaged more than 100 authorised representatives, among whom there were 9 incidents of cyber attacks over a period of 6 years.  The incidents included hacking of emails, ransomware and phishing attacks, which led to the loss of personal information, client funds and customer trust.  These incidents became known to the licensee, which it investigated but failed to address in a timely manner.  RI Advice admitted the breaches and was ordered to engage a cybersecurity expert to identify and implement further cybersecurity measures across its network and to pay $750,000 of ASIC’s costs.  Interestingly, the Court applied the standard of a reasonable person with expertise in cybersecurity as the relevant standard for assessing the suitability of cybersecurity measures.

Cleaning house: Information collection, retention and destruction

To minimise the risk of licensee obligation and data breaches, limiting the data you hold to that which is necessary is a good place to start.  This may require an audit of the information you already hold and information that you collect in future to inform you as to which information you may be able to destroy.  This process will involve consideration of the type of information and the reasons for which you collected it.  This is because licensees are bound by several different obligations in relation to the retention of information.

For example, in circumstances where a credit assistance provider collects information to assess the unsuitability of a home loan for a Victorian consumer, they must:

• Retain ‘credit information’ relating to ‘consumer credit liability information’ under the Privacy Act for 2 years, starting on the day on which the consumer credit to which the information relates is terminated or otherwise ceases to be in force[4]
• Retain financial records under the National Credit Act for 7 years[5]
• Retain records relating to the provision of designated services (i.e. lending) under the Anti-Money Laundering & Counter Terrorism Financing Act for 7 years, starting the day after the record was created[6]
• Retain documents that are, or reasonably likely to be, required in evidence in a legal proceeding under the Crimes Act (Victoria) for an unlimited time[7]

This example illustrates the complexity that can attach to the management of information.  The recent data breaches and regulatory focus, however, show us the dangers of compliance complacency and the importance of knowing what information you have, why you collect it, how to keep it safe and when you can destroy it.

Tips

1. Know what information you need to collect, how to keep it secure and when it can be destroyed​
2. Audit and schedule destruction dates for information you already have​
3. Update your Policies & Procedures​
4. Ensure you have adequate resourcing​ to manage information
5. Prepare for, protect against, respond to & recover from cyber incidents

If you have any questions concerning your document storage or managing your cybersecurity risks, contact us to speak to one of our experts.

Contact Us

Our Expert Team

Our Training

 

Author: Ursula Noye (Senior Associate)

[1] Section 6 of the Privacy Act 1988 (Cth).

[2] The Cambridge Analytica scandal saw peoples’ Facebook data was used without permission to create profiles for use in targeted political marketing.

[3] Australian Securities and Investments Commission v RI Advice Group Pty Ltd [2022] FCA 496 (5 May 2022]

[4] Section 20W of the Privacy Act 1988 (Cth)

[5] Section 95 of the National Consumer Credit Protection Act 2009 (Cth)

[6] Section 106 of the Anti-Money Laundering and Counter Terrorism Financing Act 2006 (Cth)

[7] Section 254 of the Crimes Act 1958 (Vic)​