New cyber security laws to impact not-for-profits
Australian not-for-profits must comply with new laws that require them to notify authorities if they have had a significant data breach.
The new laws come into effect on February 22, 2018, which means any breaches after that date must be reported.
The laws require not-for-profits with more than $3 million in annual turnover to notify authorities of data breaches. Organisations face fines of up to $1.8 million for breaches.
Aon insurance’s national practice leader for cyber risk, Fergus Brooks, said that in the past there has been “a culture of not telling people when they’ve lost people’s data” – among not-for-profits, and other organisations.
But the expert from the Our Community insurance partner said not-for-profits deal with “very private records because of the nature of their business”, and cannot go unregulated.
The industry is buzzing with suggestions that the Federal Government is ready to “throw the book at organisations that aren’t sufficiently securing the information they’re trusted with”.
“I think they’ve got their eye on some organisations already,” Brooks said.
“There’s going to be a big shift in February. Now it’s crunch time and you don’t want to be the one that is made example of.”
Tougher Australian laws are being mirrored in the US, Asia and Europe, with many not-for-profits doing business in those countries.
Plan of action
Not-for-profits should already have a plan of action in the event a breach or a cyber attack occurs.
The government shares tips in its Guide to Developing a Data Breach Response Plan, released by the Office of the Information Commissioner in April last year.
Depending on the organisation, this could include having an insurer, legal advisers, public relations experts and information technology experts on hand to assist with a crisis.
Not-for-profits should develop an “incident response plan” and test it, Brooks said.
“Let’s say you get an email demanding $5,000 or they’ll release some private information. What are you going to do next?”
This includes an immediate “incident response” reaction in the first 24-48 hours, which may include determining what type of attack has occurred and how to protect remaining data.
The secondary part of the plan should assess how to respond to any regulatory or legal claims, with the risk of class actions in Australia increasing.
“It’s not difficult, and there’s plenty of organisations – and Aon is one of them – where organisations can get help,” Brooks said.
More about the new data breach laws
The much anticipated Privacy Amendment (Notifiable Data Breaches) Bill 2016 comes into force on February 22, 2018. The new law makes it mandatory to notify the Office of the Australian Information Commissioner (OAIC) and the affected individuals if your organisation has a data breach. Below, Aon shares some basic information about the new law.
Who do the changes apply to?
The new law applies to public and private organisations that are already subject to the Privacy Act. This includes Australian government agencies (excluding state and local government) and all businesses and not-for-profit organisations with an annual turnover more than $3 million.
When will the new law come into effect?
The new law takes effect on February 22, 2018.
What happens if you don’t comply?
If an organisation doesn’t comply with the new laws, they could face penalties including fines of up to $360,000 for individuals and $1.8 million for organisations.
Aon said the financial implications will require a systematic change of attitude for many organisations, and conversations about cyber risks and data security need to be elevated to boardroom level.
How can organisations prepare?
Aon recommends organisations act immediately by appointing a steering committee to address the legal changes, running a full risk assessment and considering insurance coverage.
Not-for-profits an easier target
According to Brooks, not-for-profits should not think they are immune just because they are a smaller target.
“There’s a misnomer that cyber criminals are going after the top end of town,” he said.
“But they’re much harder targets compared to smaller organisations, which are often more willing to pay the $10,000 to retrieve data from a ransomware attack.”
He said six-figure costs are quite likely for organisations that get hit by a hacker.
“Cyber criminals certainly don’t discriminate, or have morals, when it comes to whether or not they’ll target a not-for-profit.”
New laws and continued attacks are a sobering reminder of the cyber risks now faced by organisations of all types.
Brooks said key cyber risks for not-for-profits revolve around the sensitive information they hold, such as personal and healthcare information.
Threats to organisations from cyber breaches include:
- business interruption leading to income losses and expenses
- the cost of restoring data
- notification and investigation costs
- the costs of any extortion
- public relations and communications costs
- legal costs linked to privacy, defamation, damages and intellectual property claims
- fines and penalties.
Why cyber crime is on the rise
During 20 years working in information security, Brooks has seen dramatic growth in cyber crime, with 85 per cent of attacks now linked to ransomware coming from regions including eastern Europe, Taiwan, China, and the US and from home-grown cyber crooks.
Those attacks involve hackers using legitimate-seeming emails or software to bait users into activating computer viruses that scramble data.
Victims are issued with demands to pay a ransom to regain control of their computers, and in some cases criminals will sell or threaten to release the data they’ve harvested from hijacked computers and servers.
But despite all the warnings – and even after security awareness training – “people are still clicking on that link”, as criminals develop increasingly sophisticated methods to entice victims, Brooks said.
Baiting methods include faked emails from senior managers, timing attacks for when people are on leave, and conducting rigorous background research about organisations before attacks.
Recent Aon client seminars have highlighted confusion about how the new laws will work, but Brooks said any “serious” breach – even the release of a single sensitive email – could require organisations to notify authorities.
How to protect your organisation now
The Australian Cyber Security Centre said organisations should do the following to protect themselves from cyber attack:
- Patch and update systems immediately, including Microsoft operating systems. Using unpatched and unsupported software increases the risk of cyber security threats such as ransomware.
- Back up your data. If you do not have backups in place you can arrange to use an off-site backup service. This is good practice for all users.
- Ensure your antivirus software is up-to-date.
- Individuals and organisations are discouraged from paying the ransom, as this does not guarantee access will be restored.
The reasons organisations may be unable to patch their systems include:
- They are running legacy applications that won’t work with updated versions of Windows (the UK’s NHS had this problem)
- They are running illegal pirated copies of Windows that can’t be patched
- They have IT officers who don’t have full oversight of their network, or haven’t made cyber threats a high enough priority.
“It’s not that firms aren’t aware of the problem, it’s just not in the line of sight, or nobody’s sure who is managing it,” Brooks said.