A third time is a charm, in life and in data breach notifications laws. On February 13, 2017, the Australian government, in its third attempt, passed the Notifiable Data Breaches scheme, which finally came into effect on February 22nd of this year.
While we all have a conceptual idea of what a data breach notification means, but when it comes to required action, we have to look at the nitty gritty details. Let’s start with how a data breach is defined down under.
Get the Free Pen Testing Active Directory Environments EBook
Australia’s Definition of a Data Breach
Australia defines a breach broadly enough to include unauthorized disclosure or access of personal information, which means that a ransomware attack that encrypts but does not exfiltrate data can constitute a reportable breach.
Like the GDPR, Australia broadly considers personal data to be any information about an identified individual or that can be reasonably linked to an individual.
In real-world terms, it means that if hackers get phone numbers, bank account data, or medical records, then it’s considered a breach. For more examples on the kinds of data that may increase the risk of serious harm if there is a data breach, click here.
Australia’s Data Breach Notification Rules
The rules will apply to any organisation with an annual turnover of more than $3 million, but small businesses under that threshold will still be subject to compliance if they handle sensitive health documents or government contracts.
The new Australian amendment also has a harm threshold that has to be met for the breach to be reportable. This is not unusual–we’ve seen these same harm thresholds in US states breach notification laws, and even the EU’s GDPR and the NIS Directive.
In the Australian case, the language used is that the breach will “likely to result in serious harm.” While not explicitly stated, the surrounding context in the amendment says that breach would have to cause serious physical, psychological, emotional, economic, reputational, and financial harm or other effect that a “reasonable” person would agree.
Australian Privacy Commissioner Timothy Pilgrim describes serious harm in the following way, “Well, serious harm can manifest in a number of ways. It can be through financial harm, so, someone’s account’s been at risk in a financial institution. It can be psychological or emotional harm, for example, if someone’s health records were breached. There can be reputational harm, if the wrong information gets out, as well.”
After the Breach that Caused Serious Harm
As soon as an organisation is aware of a harmful breach event, then Australian organizations will have to notify the regulators as soon as possible after discovery. They’ll need to provide them with breach details, including the information accessed, as well as steps affected individuals should take.
If an organization fails to report a serious data breach, or fails to report a data breach on two or more separate occasions, the Office of the Australian Information Commissioner has the ability to seek a civil penalty order against the organisation of up to $2.1 million AU, depending on the significance and harm that may result from the breach.
Organisations can submit their notification of a data breach to the Australian Commissioner through the Notifiable Data Breach form. Afterwards, they can notify individuals as soon as possible.
Exceptions to the Rule
As a side note, the Australian breach notification rule goes further with explicit remediation exceptions that give the covered entities – privacy sector companies, government agencies, and health care providers – a bit of wiggle room.
If the breached entity can show that they have taken actions involving the disclosure or access before it results in serious harm, then they don’t have to report it.
Particularly with health care providers, this exception is intended to avoid duplication of notices under the NDB scheme and the data breach notification requirements in the My Health Record system.
But How Will You Know When There’s Breach?
Practically speaking, before assessing whether a breach is likely to result in serious harm, organisations first need to know when a data breach is taking place.
Employees, law enforcement agencies, customers and service providers are frequently the first to detect the problem. If you encounter ransomware, you won’t be able to get past the ransom note. But the reality is, a majority of data breach victims don’t have adequate security systems that would help them self-detect data breaches.
What’s more, while most breach compromises occur in days, most discoveries do not. The longer it takes to detect a breach, the more expensive it will be. In a recent study, US companies took an average of 206 days to detect a data breach.
In the case study below, the organisation discovered the breach through an employee.
Australian Data Breach Case Study
Recently, an Australian shipping company, Shvitzer announced that they suffered a data breach that lasted 339 days before they discovered and stopped it. Ahem, that’s 133 days over the average.
Between May 27, 2017 and March 1, 2018, up to 60,000 emails from three accounts in finance, payroll and operations were secretly auto-forwarded to two external accounts.
What initiated the investigation? Svitzer’s IT help desk got a call from an employee about an email rejection notice from an external email account.
Svitzer’s head of communications, Nicole Holyer said that the compromised email account owners couldn’t see that their emails were being forwarded.
“We’ve ruled out that it was someone internally,” Ms Holyer said. However, the outsider has not yet been identified.
What we know about outside hackers is that they can easily go around the perimeter and get inside. Without behavior-based anomaly detection, once an outsider is in, the attackers often appear as just another user.
How Alerting Assists in Incident Response
If you don’t want to wait for an employee to report suspicious behavior or wait for an anomaly to occur, alerting is a key factor in discovering and stopping exfiltration from doing even more damage.
Our friend, Australia-based security analyst Troy Hunt, said that it’s unusual to see information exfiltrated one email at a time, “One of the interesting things here is that many organisations configure their mail environment such that you cannot forward automatically to external addresses precisely because of things like this.”
For anomalies like Svitzer’s, it’s helpful to have an alerting system such as Varonis DatAlert to catch a breach similar to this one and more. With DatAlert, you can set up a rule to detect when automatic forwarding is enabled on mailboxes. This alert and others likely would have triggered and notified the proper individuals to stop the breach before any harm was done.
System Administrator Aaron Neilson of Nature’s Sunshine Products had this to say about how DatAlert helped bolster their security posture, “Certain alerts will trigger scripts that will disable accounts to prevent further harmful actions. This has helped minimize or eliminate the impact from ransomware attacks.”
What’s more, those with Exchange and Exchange Online can also leverage Varonis DatAdvantage and DatAlert to:
- Monitor and report on all email activity (message opened, send message, edited message, mark email as read or unread)
- Alert on abnormal email behavior such as forwarding thousands of emails to external email address
- Alert when an account gains access to a mailbox other than their own
- Alert when an IT admin accesses mailboxes in a suspicious way (e.g., reading the CEO’s inbox and marking messages as unread)
Today, Australian consumers who have had their personal data inappropriately accessed and put in serious harm will have the law on their side. The Australian Notifiable Data Breach Scheme will effectively be their alerting system.