Minimising the Risk of Insider Threats for Your Business In the constantly evolving landscape of cybersecurity, one aspect that
Do you know your legal and ethical obligations if your business experiences a cyber attack?
A cyber attack can be devastating for a business. In fact, 22% of small businesses in Australia don’t survive a ransomware attack.
In addition to direct financial costs, companies can experience employee stress, brand damage, and weeks of lost productivity time.
Moreover, Australian business owners also have legal requirements they must adhere to and ethical obligations they must consider.
Who is accountable for a cyber attack?
Cyber security is not just an IT responsibility. It requires input from management teams, HR, communications, IT teams, legal counsel, and any relevant department – or employee – impacted.
In the event a company experiences a cyber attack, it is the business owner and/or board of directors that could be held liable. Further, it is the responsibility of the business owner/s to ensure the company complies with the legal requirement set out by the Australian Government.
Thus, it is imperative the responsibility for ensuring the company has ample cyber security is considered at a governance level.
What are my legal requirements if my business experiences a cyber attack?
PLEASE NOTE: Jam Cyber strongly recommends all business owners obtain their owner independent advice regarding their legal requirements in the event of a cyber attack.
Under Australian Law there are different legal requirements pending the type of attack. Here are the current requirements (please note, these may be subject to change as laws are updated)
- Ransomware attack: for most businesses, there is no legal requirement to notify authorities of a ransomware attack. This changes if the attack involves personal information, the business is a regulated financial services entity, or, if the organisation operates critical infrastructure.
- Corporate espionage or theft: where there are no personal details involved, it is up to the company if they wish to report corporate espionage or theft to the police. There are no legal requirements unless the company suspects the employee is involved in terrorism, or they have stolen classified documents that could impact national security.
- Internal or external data breach: where personal information is involved, eligible Australian businesses are required to report a data breach under the Notifiable Data Breach Scheme. This can be quite complex and we have explained it in more detail below.
What is classified as a data breach?
The Office of the Australian Information Commissioner (OAIC) has outlined what they consider a data breach. It includes:
- Unauthorised access to personal information or company data.
Includes employees who access sensitive or confidential files without authority and/or unauthorised external third-party access (via hacking, social engineering, or espionage).
- Intentional or unintentional unauthorised disclosure of personal information or company data.
Includes intentional data stealing and publishing by employees and/or external hackers as well as accidental publishing of confidential information by employees.
- Compromised user account.
In the instance a company user account has been hacked (via phishing, social engineering etc.) by an internal or external person.
- Accidental or inadvertent loss of personal information or data held specifically by the company.
Includes employees who accidentally put company data at risk when devices are lost or stolen. Note: if the device is secure via Multi-factor MFA and there is no possibility a third party can access the company files, then this risk is mitigated, and the loss of devices does not automatically become a data breach.
Data breaches can be small and accidental or catastrophic. The best way to avoid a data breach is to implement a cyber security framework.
If your company experiences a Notifiable Data Breach, you may be required to legally notify the OAIC.
What is a Notifiable Data Breach?
The OAIC has implemented a Notifiable Data Breach (NDB) Scheme which requires certain businesses to notify the government when a breach occurs. Companies that are eligible for the scheme are required to notify the OAIC when a data breach is likely to result in serious harm to an individual whose personal information is involved.
Jump to ‘Determine my entity status’
Serious harm may include (but is not limited to) financial fraud, identity theft, physical harm and/or activity that leads to emotional distress. For example, a hacker obtains personal details, usernames, and passwords of customers or employees. This would enable them to commit identity fraud and potentially steal money from victims.
For more details about the NDB Scheme, please see: https://www.oaic.gov.au/privacy/notifiable-data-breaches/about-the-notifiable-data-breaches-scheme
What are my ethical responsibilities?
There is a difference between your legal requirements and your ethical responsibilities when it comes to a data breach. The OAIC provides clear guidelines of exactly what needs to be reported and to who. But should you inform people even when you are not required to?
Whilst each case may be different, Jam Cyber believes that business owners should always inform clients when their data has been compromised – regardless of if they are required to or not.
When it comes to ransomware, we recommend notifying the government of the attack so they can better fund and protect other businesses. You can make your voluntary report here: https://www.cyber.gov.au/acsc/report
What can I do to prepare and protect my business?
Whilst Jam Cyber does not offer advice regarding individual business legal requirements, we have created a checklist for business owners to review and consider.
1. Determine your ‘entity status’
OAIC has slightly different requirements for different size businesses and those in specific industries. In short, any business earning more than $3million annually, or that has existing obligations under the privacy act, is legally required to provide notification to the OAIC in the event of a data breach where personal information is concerned. To review if your organisation is included in this scheme visit: https://www.oaic.gov.au/privacy/guidance-and-advice/data-breach-preparation-and-response/part-4-notifiable-data-breach-ndb-scheme#entities-covered-by-the-ndb-scheme
2. Prepare your Data Breach Policy and Response Plan
Your Data Breach Policy and Response Plan should include both how to identify a data breach and how the company will respond in the event of a breach. We recommend also including a communication table to ensure you know who is responsible for communicating what message.
3. Prepare Data Breach Notification Templates
In addition to notifying the OAIC, your business may be required to contact individual employees and customers if their data has been compromised. Having ready-to-go templates in place will ensure you can communicate swiftly to victims and the appropriate authorities.
Need Cyber Security Templates? View our Cyber Security Policies and Procedures
4. Educate your team
Training your employees is one of the best things you can do to prevent cyber attacks. Most cyber breaches are the result of human/employee error. By upskilling employees, you may be protecting them and your customers. Find out more about training your team.
5. Implement a cyber security framework
Every company should have a cyber security framework in place to maximise protection and mitigate damages. The framework should include policies and procedures, systems and tools and employee training. You can view our cyber security framework here.
Need to know more about cybersecurity?
The 10 most notorious cyber crime gangs in the world Roughly four in five breaches emanate from organised crime.[i] Cyber