Breaches present reputational risk for the University, but as of February 2018 they also raise the possibility of penalties under the Privacy Act for failing to report serious data breaches publicly. The Privacy Act now requires that serious data breaches be reported to the regulator and affected individuals.
Notifiable data breaches have 3 key elements: A data breach has occurred. That is, there has been unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information. It is likely to result in serious harm to one or more individuals. Likely = more likely than not, i.e., greater than 50% chance. Serious harm is undefined in the Privacy Act but may include serious physical, psychological, emotional, financial, or reputational harm. The entity hasn’t been able to mitigate the risk of serious harm with remedial action. (So this also means that if the University does experience a serious data breach but it takes all steps necessary to shut down the risk of harm to the affected individuals, then it ceases to be notifiable).
Notification must occur ‘as soon as practicable’ once an entity is aware of the notifiable data breach.
Entities will have 30 days to investigate and reach a view on whether a breach is notifiable – but the requirement to notify kicks in as soon as it reaches a view – so if the investigation shows after 3 days that the threshold for a notifiable data breach has been reached, the University would have to notify ‘as soon as practicable’.
The mandatory reporting regime is focused on mitigating harm to individuals. This is important to remember, whether or not a breach is reportable. All of our actions in the wake of a breach should be focused on reducing and removing the risk of harm to individuals. And regardless of regulatory consequences, we should always be aware of the risk of brand and reputational damage to the University and act to protect the University as well.
But University’s don’t need to comply?
The Notifiable Data Breaches (NDB) scheme under the Australian Privacy Act established requirements for entities in responding to data breaches. While Macquarie University (the University) is primarily governed by the NSW Privacy and Personal Information Protections Act, the NDB scheme is applicable to the controlled entities and consequently we decided to proactively adopt the scheme. This is in part because of the significant cross over in systems and people between the University and Controlled entities which external stakeholders then view as one body which warrants a consistent approach.
The NDB Response Plan is a sub-plan of the Incident and Crisis Management Framework and follows the same escalation process as step zero Level 1: Breach is minor and already contained – notification may occur through ROAR (e.g. isolated single instance) Level 2: Breach is significant but contained – notify CMT co-ordinator who will operationalise CIRT as required Level 3: Uncontained major incident where the extent is not yet known, or the breach is still occurring – inform the CMT co-ordinator as soon as possible who will who will operationalise CIRT and liaise with the CMT Level 4: Critical incident - inform the CMT co-ordinator as soon as possible who will who will operationalise CIRT and liaise with the CMT An investigation team will be appointed with the necessary advisors and expertise, and will commonly include the Information Security Manager and Privacy Officer.
The levels above assist in determining the extent of investigation and senior management involvement that is required when responding to an incident. The levels also ensure that communications are consistent, streamlined and responsibilities and accountability are clearly defined.
Malicious activity was detected by PageUp on the 23 May and launched a forensic investigation. PageUp went public with the breach on the 5th June but could not say if client data had been compromised
Once initial forensic investigation performed it was determined impacted personal information included: Contact details including name, email address, physical address, and telephone number Biographical details including gender, date of birth, and middle name (if applicable), nationality, and whether the applicant was a local resident at the time of the application Employment details at the time of the application, including employment status, company and title. If the application was submitted for a reference check, then the following additional details may have been provided by the reference: technical skills, special skills, team size, length of tenure with company, reason for leaving that position (if applicable), and the length of relationship between the applicant and reference
The most critical data categories including resumes, financial information, Australian tax file numbers, employee performance reports and employment contracts were not affected in this incident. No data contained in the New Starter Forms, Onboarding, Performance, Learning, Compensation or Succession Modules were affected.
18th June a joint statement was issued by the OAIC and PageUp which included the following guidance Change your passwords on other online services, if you re-use the same password Enable multi-factor authentication and other available security measures provided by your other online services Be aware of potential phishing emails and telephone calls from businesses or institutions requesting your personal details. Avoid opening attachments from unknown senders via email or social media Install anti-virus software and keep it updated Apply all recommended software patches from operating system and software providers.
21st June MQ notifies OAIC and releases notification to affected individuals the following day. Response team was formed comprising Cyber Security Manager, Privacy Officer and HR Business Analyst to respond to queries raised from the notification.
Communications. With PageUp: PageUp were very forthcoming with their communications to us which assisted in the notification process. However it is handy to be aware of the guidance others are providing. In this instance some companies had notified individuals that they could delete their profiles themselves, which was not able to be done with their MQ profile and may have caused some frustration. Internally: We have a collaborative working relationship with Cyber Security so were easily able to form a team to respond to the situation and have a unified approach in responding to queries Flexibility of response. Understand the interplay of various legislation particularly the State Records Act. We are required to retain applicant information for 2 years after the job has been filled, however this legislation isn’t widely understood by the public. Ensure you understand the retention requirements and have a flexible response to those who do want their data deleted. In our case we archived their information on internal systems where information couldn’t be deleted per the applicants request Use the resources available We called the OAIC on numerous occasions to get guidance on the notification process. They assisted in making a call on whether to notify or not and assisted in what information was required in the notification process. Also the notification tool was very straightforward and easy to use Ensure you are aware of the data retention elements of your service arrangements. Many of the individuals notified had applied a number of years ago. The more information that is unnecessarily retained the greater the risk if it is lost due to reputation (why were we holding onto it) and quantity.
Notifiable Data Breaches – Lessons from PageUp
Notifiable Data Breaches – Lessons from PageUp
Overview of the Notifiable Data Breach Scheme
DVC / COO | RISK & ASSURANCE 2
access, disclosure or
loss of personal
information that an
Has not been
able to prevent
the likely risk of
serious harm with
Likely to result
harm to one or
UNDER THE PRIVACY ACT, EFFECTIVE 22 FEBRUARY 2018 SERIOUS DATA BREACHES MUST BE REPORTED
TO THE REGULATOR AND AFFECTED INDIVIDUALS.
• Notification must occur ‘as soon as practicable’ once aware.
• The University has 30 days to investigate and reach a view on whether the breach is notifiable.
DVC / COO | RISK & ASSURANCE 3
WHILE MQ IS PRIMARILY GOVERNED BY THE NSW PRIVACY AND PERSONAL INFORMATION PROTECTION ACT,
THE NDB SCHEME IS APPLICABLE TO THE CONTROLLED ENTITIES. CONSEQUENTLY MQ PROACTIVELY
ADOPTED THE SCHEME ACROSS THE UNIVERSITY AND DEVELOPED A NDB RESPONSE PLAN AS A SUB-PLAN
TO THE INCIDENT AND CRISIS MANAGEMENT FRAMEWORK
Take immediate steps to limit the breach, this may
include stopping the practice or shutting down
systems that are breached. Notify relevant response
teams per responsibilities.
Assess and validate
whether the data
breach is likely to
result in serious
harm to any of the
involved. As part of
Notify individuals and the Commissioner if serious
harm is likely.
Review the incident
and consider what
actions can be taken
to prevent future
DVC / COO | RISK & ASSURANCE 4
PAGEUP LIMITED, AN ONLINE RECRUITMENT SERVICES ORGANISATION EXPERIENCED A DATA BREACH WITH
DOWNSTREAM EFFECTS TO THEIR CUSTOMERS
detected by PageUp
on 23rd May
understand extent of
notification on the
details that had been
statement with OAIC
on 18th June
MQ notifies OAIC on 21st
on 22nd June via
formed to respond to
queries raised by 70
DVC / COO | RISK & ASSURANCE 5
FOLLOWING THE BREACH WE IDENTIFIED AREAS WHERE OUR RESPONSE AND PROCESSES COULD BE
Use the available