Data Security Checklist for NSW Government Agencies

As the COVID-19 pandemic has unfolded, we have become increasingly reliant on remote Internet-connected workforces. The practical difficulties with returning to in-person working environments have highlighted that we will continue to rely on remote working arrangements, at least to some extent, for the foreseeable future. Additionally, it is likely that we will see a structural shift in working arrangements even once all social distancing restrictions have been lifted.

With this shift to remote working, comes heightened data sensitivity risks, including an increase in the likelihood of cyber attacks and privacy breaches. The pandemic has seen an uptick in COVID-19 themed ‘phishing’ emails and SMS messages. Hackers are taking advantage of public fear associated with the virus and workers’ decreased security due to working from home arrangements and increased dependence on networks. Recent examples include phishing emails containing attachments or links claiming to offer access to government benefits or safety information that either contain malware which attempts to steal data and passwords or install destructive files.

NSW Government agencies, in particular, must be vigilant of this heightened risk environment. Despite the extraordinary environment in which we find ourselves, data security and privacy obligations continue to apply.

NSW Government agencies should:

Ensure sufficient remote security measures are in place

• evaluate all SaaS applications that your staff use while remote working to ensure adequate levels of protection and security (particularly if staff will continue remote working arrangements after social distancing restrictions are lifted);
• ensure your systems capacity is adequate given the increased demand on usage;
• ensure adequate encryption levels are applied to the data at rest and in transit;
• implement virtual private networks and multifactor authentication measures (and. if you have done this already, consider whether they will continue to be fit for purpose in view of your ongoing remote working requirements);
• undertake data back-ups regularly to prevent against data loss;
• maintain logs of equipment being used by staff at home;
• provide regular information security refreshers to staff working from home;
• insist that staff only communicate through official systems, not through publicly-available social media channels (and regularly remind staff of this); and
• remind staff of their confidentiality obligations, including the need to store and dispose of hard-copy records securely.

Carefully manage your suppliers that have access to your data

• get sufficient comfort that the IT controls that your suppliers implement work and that they are, and will continue to be, effective in terms of protecting your data, taking into account your current remote working arrangements;
• manage contractual liability with your suppliers around cyber incident and data breach issues – this includes having clear protocols in your contractual arrangements which deal with:
  
  
  • the communication of suspected breaches by your supplier;
  • the processes for conducting assessments into those breaches; and
  • the allocation of responsibility for the containment, remediation and notification of the breach; and
• ensure that you control any notifications to your customers and any regulators – this will help to manage any reputational fall-out.

Know what to do in the event of a hack

• have your crisis management team ready for immediate mobilisation and response – a team of multi-disciplinary specialists (including, as appropriate, IT, legal, risk and compliance, communications, corporate affairs, HR) which is known in advance and has full authority to act without permission;
• ensure you have a robust data breach response plan which can be implemented immediately – a plan which sets out:
  
  
  • your strategy for containing, assessing and managing a data breach from start to finish – with clear reporting lines, escalation paths and criteria for when to mobilise the crisis management team;
  • your strategy for dealing with the communication of the data breach internally and externally;
  • the roles and responsibilities of staff members; and
  • processes for dealing with a data breach involving another entity, such as your IT supplier;

• make sure you get the facts of the data breach – don’t just rely on assumptions;
• carefully manage communications to internal and external stakeholders – including setting the correct narrative for the data breach and your response from the outset;
• build a stakeholder map, and consider the legal relationship you have with each stakeholder so as to ultimately guide you to a prioritised work plan for responding to the incident;
• seek the protection that can be gained through legal professional privilege by engaging with your internal or external legal advisers – otherwise sensitive internal communications and documents about the breach (including forensics reports) could be exposed to regulators or those pursuing civil damages claims against you;
• determine your notification obligations at law – see below for further details; and
• consider your contracts that may be impacted by the cyber incident, including rights and obligations that may be triggered.

Comply with legal obligations to report privacy breaches

The NSW Information Privacy Commission Data Breach Policy advises that NSW government agencies should notify the Information Commissioner and affected individuals where there has been a ‘serious’ data breach. This is considered best practice.

Assessment

In the case of a suspected data breach, you should undertake a reasonable and expeditious assessment to determine whether there are reasonable grounds to believe that there has been a ‘serious’ data breach that would fall within the NSW voluntary data breach reporting scheme.

Serious data breach?

The key test for notification under the NSW voluntary reporting regime is whether there has been a ‘serious’ data breach. Determining the seriousness of the breach affects what response actions should be taken and whether the breach should be reported or not.

There is no objective measure of seriousness so you should have regard to the following:

• the type of data breached involved – does it include sensitive data like financial or health data? Is it otherwise high risk?
• the number of individuals affected;
• whether the breach relates to data that would otherwise normally be publically available?
• the risk of harm that could be caused to the affected individuals and the government agency; and
• whether the data breach is inadvertent (e.g. forwarding an email to the wrong person) or a malicious attack that poses an ongoing risk?

NSW Government agencies should have a clear process in place to assess each data breach so that the breach can be dealt with in a manner that is proportionate to its seriousness.

Notification

NSW Government agencies are not generally caught by the mandatory data breach notification scheme under the Privacy Act 1988 (Cth). Nonetheless, there is a voluntary notification scheme that applies to NSW Government agencies. The NSW Government is also considering whether a mandatory reporting regime should implemented. The Department of Justice opened a consultation on whether mandatory reporting is necessary in July 2019.

Because the scheme is currently voluntary in NSW, agencies will need to decide in each case whether they report a data breach under the voluntary scheme. In many cases, it may be best to err on the side of caution and notify the Information Commissioner and any affected individuals in order to effectively manage any reputational fall out. 

Additionally, private sector suppliers that contract with the NSW Government are still likely to be subject to the mandatory data breach notification regime under the Privacy Act 1988 (Cth). If a supplier suffers a data breach that involves the personal information of constituents, that data breach may be reportable by the supplier under the mandatory data breach notification regime. In these cases, as the entity with the closest connection to affected constituents, the agency will want take control of that notification process from the supplier so that the agency can best manage the reputational impact and ensure that appropriate information is provided to the affected individuals.