As the COVID-19 pandemic unfolds, we are becoming increasingly reliant on remote internet-connected workforces. With this shift to remote working, comes heightened data sensitivity risks, including an increase in the likelihood of cyber attacks and privacy breaches.
Specifically, there has been an uptick in COVID-19 themed ‘phishing’ emails and SMS messages. Hackers are taking advantage of public fear associated with the virus and workers’ decreased security due to working from home arrangements and increased dependence on networks. Recent examples include phishing emails containing attachments or links claiming to offer access to government benefits or safety information that either contain malware which attempts to steal data and passwords or install destructive files.
Like private sector organisations, Councils must be vigilant of this heightened risk environment. Despite the extraordinary environment in which we find ourselves, data security and privacy obligations continue to apply.
This means that you should:
Get your remote security measures in place
- evaluate all SaaS applications that your staff use while remote working to ensure adequate levels of protection and security;
- ensure your systems capacity is adequate given the increased usage;
- ensure adequate encryption levels are applied to the data at rest and in transit;
- implement virtual private networks and multifactor authentication measures;
- undertake data back-ups regularly to prevent against data loss;
- maintain logs of equipment being used by staff at home;
- provide information security refreshers to your staff working from home;
- insist that staff only communicate through your official systems, not through publicly-available social media channels; and
- remind staff of their confidentiality obligations, including the need to store and dispose of hard-copy records securely.
Carefully manage your suppliers that have access to your data
- get sufficient comfort that the IT controls that your suppliers implement work and that they are effective in terms of protecting your data;
- manage contractual liability with your suppliers
around cyber incident and data breach issues – this includes having clear
protocols in your contractual arrangements which deal with:
- the communication of suspected breaches by your supplier;
- the processes for conducting assessments into those breaches; and
- the allocation of responsibility for the containment, remediation and notification of the breach; and
- ensure that you control any notifications to your customers, constituents and any regulators – this will help to manage any reputational fall-out.
Know what to do in the event you are hacked
- have your crisis management team ready for immediate mobilisation and response – a team of multi-disciplinary specialists (including, as appropriate, IT, legal, risk and compliance, communications, corporate affairs, HR) which is known in advance and has full authority to act without permission;
- ensure your data breach response plan has been
updated to take account of the changed environment brought about by COVID-19 –
a plan which can be implemented immediately and which sets out:
- your strategy for containing, assessing and managing a data breach from start to finish – with clear reporting lines, escalation paths and criteria for when to mobilise the crisis management team;
- your strategy for dealing with the communication of the data breach internally and externally – including to affected individuals, the New South Wales (NSW) Information Privacy Commissioner and, where relevant, the Office of the Australian Information Commissioner (OAIC);
- the roles and responsibilities of staff members; and
- processes for dealing with a data breach involving another entity, such as your IT supplier;
- make sure you get the facts of the data breach – don’t just rely on assumptions;
- carefully manage communications to internal and external stakeholders – including setting the correct narrative for the data breach and your response from the outset;
- build a stakeholder map, and consider the legal relationship you have with each stakeholder so as to ultimately guide you to a prioritised work plan for responding to the incident;
- seek the protection that can be gained through legal professional privilege by engaging with your internal or external legal advisers – otherwise sensitive internal communications and documents about the breach (including forensics reports) could be exposed to regulators or those pursuing civil damages claims against you;
- determine your notification obligations – to affected individuals and to regulators – see below for further details; and
- consider your contracts that may be impacted by the cyber incident, including rights and obligations that may be triggered.
Comply with your legal obligations to report privacy breaches
The NSW Information Privacy Commission Data Breach Policy advises that NSW Government agencies, including Councils, should notify the Information Commissioner and affected individuals where there has been a ‘serious’ data breach.
Assessment
In the case of a suspected data breach, you should undertake a reasonable and expeditious assessment to determine whether there are reasonable grounds to believe that there has been a ‘serious’ data breach that would fall within the NSW voluntary data breach reporting scheme.
Serious data breach?
The key test for notification is whether there has been a ‘serious’ data breach.
Determining the seriousness of the breach affects what response actions should be taken and whether the breach should be reported or not.
There is no objective measure of seriousness so you should have regard to the following:
- the type of data breached – does it include financial, health or other sensitive categories of data? Are there other characteristics of the data that could pose a high risk (e.g. commercial information that could pose a reputational risk to Council or other organisation)?;
- how easy would it be for individuals to be identified from this data?;
- the number of individuals affected; and
- the risk of harm that could be caused to both individuals and the Council by the breach – for example, could the data create risks to individuals to whom it relates if used or improperly used? Was the data breach a single incident (e.g. forwarding an email to the wrong person) or a malicious attack that poses an ongoing risk?
Notification
Councils are not generally caught by the mandatory data breach notification scheme under the Privacy Act 1988 (Cth). Nonetheless, there is a voluntary notification scheme that applies to NSW public sector agencies, including local Councils. The NSW Government is also considering whether a mandatory reporting regime should be implemented. The Department of Justice opened a consultation on whether mandatory reporting is necessary in July 2019.
Because the scheme is currently voluntary in NSW, Councils will need to decide in each case whether they report a data breach under the voluntary scheme. In many cases, it may be best to err on the side of caution and notify the Information Commissioner and any affected individuals in order to effectively manage any reputational fall out.
Additionally, your private sector suppliers are still likely to be subject to the mandatory data breach notification regime under the Privacy Act 1988 (Cth). If a supplier suffers a data breach that involves the personal information of constituents, that data breach may be reportable by the supplier under the mandatory data breach notification regime. In these cases, as the entity with the closest connection to affected constituents, you will want to take control of that notification process from your supplier so that you can best manage the reputational impact and ensure that appropriate information is provided to the affected individuals.