1
2 Data Breaches and Social Slander How to manage online riskPeter Moran Ian Bloomfield Principal Managing Director Norton Gledhill Ignite Systems
3 Overview How to manage online risk | 9 March 2017 | What is data?What about meta-data? What is a data breach & how can it happen? Mandatory Data Retention Privacy and Mandatory Data Breach Notifications The Cloud Practical tips for avoiding a Data Breach Practical tips for handling a Data Breach Social Media Slander and Reputational Risk How to manage online risk | 9 March 2017 |
4 What is data? Information converted into a digital form.Most regimes relating to data protection are referring to identifying information, confidential information, sensitive information, personal information. Concepts of “personal information” should be well understood in the context of the Privacy Act regime: “information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not.” How to manage online risk | 9 March 2017 |
5 What is data? "sensitive information" which is a type of personal information that discloses information about an individual's: health (including predictive genetic information) racial or ethnic origin political opinions membership of a political association, professional or trade association or trade union religious beliefs or affiliations philosophical beliefs sexual orientation or practices criminal record biometric information that is to be used for certain purposes biometric templates. A breach relating to sensitive information may be more likely to give rise to substantial harm to an individual than other types of personal information. How to manage online risk | 9 March 2017 |
6 What about meta-data? https://www.youtube.com/watch?v=XZTiN778B-cData about data How to manage online risk | 9 March 2017 |
7 What is a data breach? OAIC Data Breach Notification: A guide to handling personal information security breaches Data breach means ‘when personal information held by an agency or organisation is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference’ personal-information-security-breaches How to manage online risk | 9 March 2017 |
8 What is a data breach? Privacy Amendment (Notifiable Data Breaches) Bill Explanatory Memorandum A data breach arises where there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals (the affected individuals), or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure. https://www.legislation.gov.au/Details/C2016B00173/Explanatory%20Memorandum/Text How to manage online risk | 9 March 2017 |
9 How can it happen? In October 2016, the Australian Red Cross announced that it had become aware that a file containing over 550,000 Australian donors’ personal information had been made publicly accessible. Personal information caught in the breach included sexual risk questions. The cause of the breach was a third party organisation which develops and manages the Red Cross’s website. In November 2016, a Fairfax Media investigation revealed that overseas companies are selling the personal data of Optus, Telstra and Vodafone customers to anyone willing to pay. The data was reportedly leaked by corrupt call centre workers. In response, the Australian Information and Privacy Commissioner said he would be in touch with the three telcos to remind them of their obligations and to consider his options. The Department of Health immediately removed the dataset from the website and the Australian Information and Privacy Commission launched an investigation into the leak. In September 2016, University of Melbourne academics notified the Health Department that they were able to decrypt some service provider ID numbers in the publicly available Medicare 10 per cent dataset. How to manage online risk | 9 March 2017 |
10 How can it happen? UnintentionalLost device storing data; laptop, tablet, mobile phone, portable storage device. Disposal equipment or return of leased equipment containing digital storage media without the contents first being erased; computer hard drives, storage integrated in devices, such as multifunction printers. Mistakenly providing personal information to the wrong person e.g. sending to the wrong address How to manage online risk | 9 March 2017 |
11 How can it happen? Illegal activity – external actorStolen device storing data; computer of any sort (home desktop), mobile phone, portable storage device. Files containing personal information being ‘hacked' or otherwise illegally accessed. An individual deceiving an agency or organisation into improperly releasing the personal information of another person. How to manage online risk | 9 March 2017 |
12 How can it happen? Illegal activity – internal actorEmployees accessing or disclosing personal information outside the requirements or authorisation of their employment. Taking personal information home on a computer or removable media ing personal information Posting personal information on social media How to manage online risk | 9 March 2017 |
13 How can it happen? In May 2016 an article in Law360 reported on a study that found employees are the number-one contributor to private data breach incidents, with over half of companies surveyed reporting they have experienced a security incident because of a malicious or negligent employee. https://www.law360.com/articles/799293/employee-slip-ups-underlie-most-data-breaches-study-says How to manage online risk | 9 March 2017 |
14 Mandatory Data RetentionThe Telecommunications (Interception and Access) Act 1979 requires telecommunications companies to retain a particular set of telecommunications data for at least two years. Applies to "any person who supplies, or proposes to supply, an internet carriage service to the public – potentially broader than the traditional notion of an ISP. limited range of data to be retained, which is information about a communication, but not the content or substance of a communication. For phone calls, data is information such as the phone numbers of the people talking to each other and how long they talked to each other for— not what they said. For activity, data is information such as relevant addresses and when it was sent—not the subject line of the or its content. How to manage online risk | 9 March 2017 |
15 Mandatory Data RetentionApril 2017 deadline for ISPs to have data retention processes in place. Social Media is excluded from regime. Regime greatly extended by the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015. Very controversial and coined as a "data tax“. How to manage online risk | 9 March 2017 |
16 Data Retention – What is and isn’t included?What isn’t included? The status of a mobile device, for example, if it is lost, stolen or on roaming. Web browsing history. The location of the device at the beginning and the end of the phone call. The body or text of SMS messages. forwarding. The body and subject lines of s. The unique identifier number assigned to a particular mobile phone device. Internet (if these services are provided by an Australian operator) Files attached to s including photos or documents. The audio of phone conversations. address. The audio recordings of online or social media chats. Information about what features were used on any particular call such as call waiting or call Continuous location tracking via mobile devices. The time, date, size and recipients of s. What will be kept for a minimum of two years? The file type and size of any attachments sent or received with s. Online chat time, date and the identity of those on the chat. Phone calls Details about internet usage including how much bandwidth the internet service provides. Incoming caller identification. How many uploads/downloads made and the size of each one. Outgoing caller identification. Details about what technology enabled each communication i.e. ADSL, wifi, cable internet. The time, date and duration of the phone call. Account details held by the ISP or telco provider; including when the account was activated or suspended. How to manage online risk | 9 March 2017 |
17 Mandatory Data Retention- Problems to ConsiderThe regime is complex and difficult to interpret even for specialists in the telecommunications sector. How will the Internet of Things interact with the regime (eg how will data be collected)? What about all the data generated in Australia not held by Australian ISPs (eg google, gmail, skype etc) When in doubt, ISPs will “over-retain” data. Possibility of meta-data being used in civil cases. How to manage online risk | 9 March 2017 |
18 Mandatory Data Breach NotificationPrivacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) Amends the Privacy Act 1988 to require agencies, organisations and certain other entities to provide notice to the Australian Information Commissioner and affected individuals of an eligible data breach. Will commence sometime between now and February 2018. Applies to organisations already subject to the Privacy Act (ie turnover in excess of $3 million). Makes mandatory what many organisations have started to do voluntarily (eg Australian Red Cross). How to manage online risk | 9 March 2017 |
19 Mandatory Data Breach NotificationA data breach is unauthorised access to or disclosure of personal information, including the loss of personal information that is likely to give rise to unauthorised access or unauthorised disclosure. It is an "eligible data breach" if a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals. Serious harm includes serious physical, psychological, emotional, economic and financial harm as well as serious harm to reputation. If an entity suspects an eligible data breach has occurred, it must undertake an assessment of the relevant circumstances. If there is a data breach and action is taken and there is no unauthorised access to or unauthorised disclosure of personal information or no serious harm, then not an eligible breach. How to manage online risk | 9 March 2017 |
20 Privacy Australian Privacy Principles If revenue over $3 million.APP 11: must take reasonable steps to protect personal information from misuse, interference and loss and from unauthorised access, modification or disclosure. APP 12: must provide access to a person's personal information upon request of that person. APP 8: If disclosed to an overseas organisation, can be responsible for the use of the information by the organisation. How to manage online risk | 9 March 2017 |
21 What is disclosure? Privacy Not defined in Privacy Act. APP Guidelines say that an APP Entity discloses personal information when it makes it accessible to others outside the entity and releases the subsequent handling of the personal information from its effective control (B.64). Disclosure is to be contrasted with “use”. See 8.14 of APP Guidelines: “For example, where an APP Entity provides personal information to a cloud service provider located overseas for the limited purpose of performing the services of storing and ensuring the entity may access the personal information, this may be a “use”” provided: there is a binding contract between the parties for the information to handled only for these limited purposes; the contract requires subcontractors to agree to the same obligations; and the contract gives the entity effective control of how the information is handled. How to manage online risk | 9 March 2017 |
22 What is the cloud? The provision of Information Technology infrastructure as a service rather than as a product – ie you share someone else’s infrastructure rather than have your own. “Outsourcing and renting back IT infrastructure” Three core types of services: Software as a Service (SaaS) Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Also, training-as-a-service, service-as-a-service, Disaster- recovery-as-as-service How to manage online risk | 9 March 2017 |
23 Cloud Services “ASD [Australian Signals Directorate] strongly encourages agencies to choose either a locally-owned vendor or a foreign- owned vendor that is located in Australia and stores, processes and manages sensitive data only within Australian borders. Note that foreign-owned vendors operating in Australia may be subject to foreign laws such as a foreign government’s lawful access to data held by the vendor.” – “Cloud Computing Security Considerations” ASD Discussion Paper rity_considerations.htm How to manage online risk | 9 March 2017 |
24 Cloud Services – tips and tricksUse a structure process when selecting cloud services in particular reviewing the provider’s terms of service, privacy policy, security policy, data retention policy etc. Investigate whether your cloud service provider is compliant with relevant industry standards (see, for example, Ensure contracts clearly define performance obligations, including support response times and a clear method for measuring performance. Ensure an “exit procedure” is settled, including providing for the service provider encountering an insolvency event. How to manage online risk | 9 March 2017 |
25 Cloud Services – tips and tricksInvestigate whether your service provider uses data encryption. Ensure that your cloud services provider warrants that all data will be held within Australian data centres. Negotiate a dispute resolution procedure with the cloud service provider, in particular as regards access to data during a dispute, such as using a data escrow agent. How to manage online risk | 9 March 2017 |
26 Practical Tips for Avoiding a Data BreachData governance Risk assessment Policies Processes and procedures Accountabilities Handling of data Storage of data Access to data How to manage online risk | 9 March 2017 |
27 Practical Tips for Avoiding a Data BreachData audit What Personal Information is collected? How is the Personal Information collected? How is the Personal Information processed? Where is the Personal Information stored? Who has access to the Personal Information? How to manage online risk | 9 March 2017 |
28 Practical Tips for Avoiding a Data BreachCyber Security - (sending) Don’t Personal Information unless essential Don’t use personal accounts Confirm legitimacy of the recipient before sending Use encryption if an option How to manage online risk | 9 March 2017 |
29 Practical Tips for Avoiding a Data BreachCyber Security - (receiving) Don’t click on links in s Never open an attachment unless you are expecting it, or you have confirmation from the sender about it’s authenticity How to manage online risk | 9 March 2017 |
30 Practical Tips for Avoiding a Data BreachCyber Security - Files Use encryption on laptop computers Do not store Personal Information on portable media Don’t use personal cloud file storage like Dropbox and iCloud to store company files How to manage online risk | 9 March 2017 |
31 Practical Tips for Avoiding a Data BreachCyber Security - Passwords Use strong passwords A different one for every account Change passwords regularly Better still, use multi-factor authentication How to manage online risk | 9 March 2017 |
32 Practical Tips for Avoiding a Data BreachCyber Security - Social Media Risk of posting information that compromises your identity Social platforms used as a delivery mechanism for malware How to manage online risk | 9 March 2017 |
33 Practical Tips for Avoiding a Data BreachTraining and awareness Is everyone aware of the company policies, processes and procedures, and their personal responsibilities? Access and handling of Personal Information Cyber security Social media usage How to manage online risk | 9 March 2017 |
34 Practical Tips for Handling a Data BreachOAIC Data Breach Notification: A guide to handling personal information security breaches Responding to data breaches: four key steps Step 1: Contain the breach and do a preliminary assessment Step 2: Evaluate the risks associated with the breach Step 3: Notification Step 4: Prevent future breaches personal-information-security-breaches How to manage online risk | 9 March 2017 |
35 Practical Tips for Handling a Data BreachBe prepared Have a policy Have processes and procedures Treat a possible breach as a breach until proved not to be a breach Act quickly Follow-up on all breach incidents How to manage online risk | 9 March 2017 |
37 Social media and reputation breaches – findings from Madden appealStatements made on a personal Facebook page could be made in trade or commerce. An allegation of copying or plagiarism may be held to be a statement of fact, not an opinion. Recklessly made statements of opinion can still be misleading. A defamatory response to a defamatory statement must be proportional. How to manage online risk | 9 March 2017 |
38 Social media slander and reputation breaches.The Madden decision provides some salutary lessons about the use of social media by businesses. In particular: always check the accuracy of facts and assertions before publishing those facts or expressing opinions about those facts, particularly where such facts or opinions are directly or indirectly critical or derogatory of third parties; be careful in only expressing opinions when making critical comments about businesses on personal social media pages (ie expressions of fact may be misleading or defamatory); and when responding, in a public way, to comments made by a third party which are asserted as being false, ensure the response is proportionate and does not itself make false assertions. How to manage online risk | 9 March 2017 |
39 Resources Privacy Amendment (Notifiable Data Breaches) Bill Explanatory Memorandum https://www.legislation.gov.au/Details/C2016B00173/Explanatory%20Memorandum/Text The Australian Privacy Principles guidelines https://www.oaic.gov.au/privacy/applying-privacy-law/app-guidelines OAIC Data Breach Notification: A guide to handling personal information security breaches handling-personal-information-security-breaches Cyber Precedent: An information campaign by the Law Council of Australia to assist the legal profession defend itself against growing cyber threats StaySmartOnline: Australian Government's online safety and security website https://www.staysmartonline.gov.au Identity security: Information on the Attorney-General's Department website https://www.ag.gov.au/identitysecurity Security Tips for the Use of Social Media: Australian Signals Directorate information https://www.asd.gov.au/publications/protect/security_tips_for_using_social_media_websites.htm How to manage online risk | 9 March 2017 |