Ensuring business continuity in the time of COVID-19 pandemic: data security risks

As Governments implement severe measures to fight the COVID-19 pandemic, businesses are increasingly reliant on remote Internet-connected workforces in order to ensure business continuity. With this shift to remote working, comes heightened data sensitivity risks, including an increase in the likelihood of cyber attacks and privacy breaches.

Businesses must be vigilant of this heightened risk environment. Despite the extraordinary environment in which we find ourselves, data security and privacy obligations continue to apply.

This means that you should:

Get your remote security measures in place

  • evaluate all SaaS applications that your staff use while remote working to ensure adequate levels of protection and security;
  • ensure your systems capacity is adequate given the increased usage;
  • ensure adequate encryption levels are applied to the data at rest and in transit;
  • implement virtual private networks and multifactor authentication measures;
  • undertake data back-ups regularly to prevent against data loss;
  • maintain logs of equipment being used by staff at home;
  • provide information security refreshers to your staff working from home;
  • insist that staff only communicate through your official systems, not through publicly-available social media channels; and
  • remind staff of their confidentiality obligations, including the need to store and dispose of hard-copy records securely.

Carefully manage your suppliers that have access to your data

  • get sufficient comfort that the IT controls that your suppliers implement work and that they are effective in terms of protecting your data;
  • manage contractual liability with your suppliers around cyber incident and data breach issues – this includes having clear protocols in your contractual arrangements which deal with:
    • the communication of suspected breaches by your supplier;
    • the processes for conducting assessments into those breaches; and
    • the allocation of responsibility for the containment, remediation and notification of the breach; and
  • ensure that you control any notifications to your customers and any regulators, including the Office of the Australian Information Commissioner (OAIC) – this will help to manage any reputational fall-out.

Know what to do in the event you are hacked

  • have your crisis management team ready for immediate mobilisation and response – a team of multi-disciplinary specialists (including, as appropriate, IT, legal, risk and compliance, PR/communications, corporate affairs, HR) which is known in advance and has full authority to act without permission;
  • ensure you have a robust data breach response plan which can be implemented immediately – a plan which sets out:
    • your strategy for containing, assessing and managing a data breach from start to finish – with clear reporting lines, escalation paths and criteria for when to mobilise the crisis management team;
    • your strategy for dealing with the communication of the data breach internally and externally – including to affected individuals, the OAIC and other regulators that may be relevant to your business;
    • the roles and responsibilities of staff members; and
    • processes for dealing with a data breach involving another entity, such as your IT supplier;
  • make sure you get the facts of the data breach – don't just rely on assumptions;
  • carefully manage communications to internal and external stakeholders – including setting the correct narrative for the data breach and your response from the outset;
  • build a stakeholder map, and consider the legal relationship you have with each stakeholder so as to ultimately guide you to a prioritised work plan for responding to the incident;
  • seek the protection that can be gained through legal professional privilege by engaging with your internal or external legal advisers – otherwise sensitive internal communications and documents about the breach (including forensics reports) could be exposed to regulators or those pursuing civil damages claims against you;
  • determine your notification obligations at law – to affected individuals, to the OAIC and to any other regulators relevant to your business – see below for further details; and
  • consider your contracts that may be impacted by the cyber incident, including rights and obligations that may be triggered.

Comply with your legal obligations to report privacy breaches

You have obligations under the Privacy Act 1988 (Cth) to report certain data breaches (known as "eligible data breaches") if you are a:

  • Commonwealth Government agency;
  • Private sector organisation (including not-for-profit) with annual turnover in excess of $3 million; or
  • A small business earning $3 million or less that provides health services, is involved in trading in personal information, provides services under a Commonwealth contract or a credit reporting body.

An "eligible data breach" occurs if:

  • There is unauthorised access to, or disclosure of, information, or information is lost in circumstances where such unauthorised access or disclosure is likely to occur;
  • A reasonable person would conclude that access or disclosure would be likely to result in "serious harm" to any of the individuals to whom that information relates; and
  • You have not been able to prevent the likely risk of serious harm with remedial action.

Assess

In the case of a suspected data breach, you must undertake a reasonable and expeditious assessment (and, in any event, within 30 days) to determine whether there are reasonable grounds to believe that an "eligible data breach" has occurred.

Notify
If you have reasonable grounds to believe that an "eligible data breach" has occurred, you must as soon as practicable:

  • prepare a statement setting out:
    • your contact details;
    • a description of the data breach;
    • the kinds of information concerned; and
    • the steps you recommend individuals take to mitigate the harm that may arise from the data breach;
  • give a copy of the statement to the OAIC; and
  • take such steps as are reasonable in the circumstances to notify affected individuals of the contents of the statement.

Serious harm?

The key test for notification is whether the actual or suspected data breach is "likely to result in serious harm" to individuals. You should have regard to the following, among other relevant matters, when assessing whether individuals are likely to suffer "serious harm":

  • the kind and sensitivity of the information involved in the breach;
  • whether the information is protected by security measures(s) and the likelihood of overcoming that protection;
  • the persons, or kinds of persons who have obtained, or could obtain, the information;
  • if a security technology or methodology was used to make the information unintelligible or meaningless – the information or knowledge that would be required to circumvent the technology or methodology; and
  • the nature of the harm – whether that harm be physical, psychological, emotional, reputational, economic or financial.

It is not just the likelihood of the harm occurring, but also the anticipated consequences for individuals if the harm was to materialise (e.g. risk of identity theft).

As the notifiable data breaches scheme is relatively new, the meaning of "serious harm" is still somewhat nebulous. From a reputational perspective, it is often best err on the side of caution and to make the required notifications if there is doubt as to whether the threshold of "serious harm" has been reached.

Penalties

A failure to notify an "eligible data breach" is considered an interference with the privacy of an individual affected by the breach. Serious or repeated interference's with the privacy of an individual can give rise to civil penalties of up to $2.1 million.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.