The Notifiable Data Breach scheme seemed so simple back when I started this Master’s degree. Now we are exploring its intricacies in my Cyber and the Law course. Let’s look at a a scenario and how the law applies to a breach.
Scenario
A large national accounting/tax firm, which handles the personal tax returns of over 300,000 clients, has experienced a ransomware attack. Their systems are now offline and non-functional, and much of their data has been encrypted and is inaccessible. The encrypted data includes the information they hold on each client such as tax file numbers, contact information, income statements, receipts for claimable deductions, tax filing history and invoices sent/paid.
More data may have been taken (e.g. emails and attachments), but this is more disparate. The attackers claim to have extracted copies of all data and are threatening to publish it unless the ransom demands are met; however, no logs are available to confidently determine whether or not any data was exfiltrated or how much. Local backup files have also been encrypted, but there are some unencrypted offsite data backups from six months ago.
Some client information is available on those backups, but it is not up to date (e.g. where clients’ contact information has changed), and it does not include new clients. Clients will have duplicates of the information in their own records, and the tax office retains records of historic filings.
The ransomware provider is promising to unencrypt files if the company pays a $5 million ransom. However, the company is concerned that it has no way of enforcing such a promise and does not intend to pay.
Should anyone be notified about the data breach and how that might be done?
Legal justification
Note, all legislation reference are to Privacy Act 1988 unless stated otherwise.
Call in the lawyers
The firm’s lawyers should be notified immediately. Given their view of the business and of the incident response plan, they are best placed to guide the firm through the incident response (Bloch, n.d.).
Assess the data breach
Scope requires satisfaction of 26WE(1)(a)(i) and 26WE(1)(a)(ii), these are satisfied by:
- 26WE(1)(a)(i), APP entity: The firm in question is an APP entity as defined in 6(1) “APP entity”>6(1) “organisation > 6C(b). Note: I used “APP entity” rather than “file number recipient” as defined at 11(1) for clarity.
- 26WE(1)(a)(i), holds personal information: For the purposes of the assessment I will assume that the firm holds personal information about its clients such as: name, address, date of birth, tax file number, signature, email address, telephone number.
- 26WE(1)(a)(ii): is satisfied due to the firm being an APP entity.
Eligible data breach requires satisfaction of 26WE(2)(a)(i) and 26WE(2)(a)(ii), these are satisfied by:
- 26WE(2)(a)(i): That the firm has fallen victim to ransomware without backups indicates a lack of adherence to the Essential 8, this lends credence to the attackers claims that they have stolen data and can access it. Since the firm cannot confirm this due to lack of logs I will assume that unauthorised access has occurred.
- 26WE(2)(a)(ii): 26WG gives more information on serious harm in relation to disclosure but does not add much value other than to reinforce that measures are not in place e.g., 26WG(e), 26WG(h). Serious harm as defined in the Criminal Code Act 1995 146.1 “serious harm” (b) is likely to result here.
Given the firm will not pay the ransom, and we have assumed that the attackers have access to the data there is no measure for remedial action as outlined in 26WF.
Notifications
Now that we have established that notifiable data breach has occurred, notifications are required.
OIAC
Having established that an eligible data breach has occurred, the firm needs to prepare a statement and provide it to the Commissioner (defined in the Australian Information Commissioner Act 2010 3A) as outlined at 26WK this means reporting to the OAIC as outlined on its website (OAIC, n.d.).
Affected individuals
26WL(2)(a) and 26WL(2)(b) states that if practicable, the firm must send the statement to the individuals whose data is, or may be, contained in the data breach. This may be using the usual method of communication or other as stated in 26WL(4).
Public announcement
If the firm is unable to contact the (potentially) affected individuals, 26WL(2)(c)(i) states it must publish the statement on its website and 26WL(2)(c)(ii) states it must take reasonable steps to publicise its contents.
Other
The firm is not critical infrastructure so it is not required to report the cyber incident under the Security of Critical Infrastructure Act 2018. I am also assuming it is not a listed entity so the firm is not affected by the Corporations act 2001 Chapter 6CA—Continuous disclosure. However, I would report the following on ReportCyber (ACSC, 2022):
- Report a crime to police, due to ransomware
- Report a cyber security incident to the ACSC, due to compromise of sensitive information and unauthorised access or attempts to access a system, at a large business.
Decision tree eligible data breach
References
ACSC. (2022). ReportCyber. Cyber.Gov.Au. https://www.cyber.gov.au/acsc/report
Australian Information Commissioner Act 2010. https://www.legislation.gov.au/Details/C2023C00007
Bloch, V. (n.d.). Working with lawyers [Interview]. Retrieved February 11, 2023, from https://courseapps.studyonline.unsw.edu.au/media/unsw/course/ZZLJ9223/Week%206/transcripts/Interview%20Valeska%20Bloch.pdf
Corporations Act 2001. https://www.legislation.gov.au/Details/C2022C00306/Html/Volume_3#_Toc117005267
CPA Australia. (n.d.). Firm structures. CPA Australia. Retrieved February 11, 2023, from https://www.cpaaustralia.com.au/public-practice/your-public-practice-firm/firm-structures
Criminal Code Act (Cth), (1995). https://www.legislation.gov.au/Details/C2019C00043/Html/Volume_2
OAIC. (n.d.). Report a data breach. Home. Retrieved February 12, 2023, from https://www.oaic.gov.au/privacy/notifiable-data-breaches/report-a-data-breach
Privacy Act 1988, (2021). https://www.legislation.gov.au/Details/C2021C00452
Security of Critical Infrastructure Act 2018. https://www.legislation.gov.au/Details/C2022C00160
