Cybercrime: Managing data breaches in Australia
What is a data breach?
A data breach is generally defined as an incident involving “unauthorised access to sensitive, protected or confidential data resulting in the compromise of either confidentiality, integrity or availability of an information asset”. Data breaches pose serious risks to businesses and the individuals to whom the information relates.
One specific type of data breach is a “business email compromise” (BEC), where a cybercriminal impersonates a business contact to trick employees or suppliers of a business to transfer money or to provide sensitive information. Often BEC scammers use domain names or emails almost identical to those of the contact they are impersonating, and because they don’t use malicious attachments, their emails often get past anti-virus software. Most BEC scams take one of these forms:
- Executive fraud: A cybercriminal masquerades as an executive and sends an email to staff requesting they transfer funds to the scammer’s account.
- Legal impersonation: A cybercriminal requests payment for an urgent and sensitive legal matter.
- Invoice fraud: A cybercriminal sends a fake invoice to the business, impersonating a trusted supplier. In many cases, cybercriminals have accessed the supplier’s real email account and have made changes to the bank account details in otherwise legitimate invoices.
- Data theft: This scam involves impersonating a trusted person to request sensitive information. The information obtained is sometimes used in a larger, more complex scam.
This article provides details on what you can do to minimise harm to your business in the event of a data breach, including a BEC. Please note that this article is general in nature and nothing in this article should be taken as legal advice. Should you have any queries in relation to the legal issues raised in this article, please contact us here for further information.
How to manage a data breach in Australia
It is important to take immediate action in response to a data breach in order to protect your business. Notify your IT staff as soon as a breach to your system is suspected. Your IT department or advisor should have a plan in place for data breaches, which may involve the following steps:
1. Identify the threat
Establish the nature, origin and extent of the attack.
(a) Allow time for a thorough forensic examination. This information is crucial to ensure that your response is appropriate, and that no further breaches occur. In the case of a BEC, ensure you identify the fraudulent email.
(b) Any potential spread of the problem should be identified. It is important to check for any other transactions or abnormalities across your system.
(c) Consider if your business has been targeted specifically or if the problem relates to a known virus or scam. Conduct a search online using key words relating to your identified breach.
2. Contain the damage
(a) Based on your forensic examination, identify compromised systems and files and delete them using updated anti-virus and other protection programs.
(b) Ensure that everyone in the business changes their passwords for work accounts to passphrases containing multiple words as well as numbers and other characters. Consider implementing a secure password manager or a multi-factor authentication system.
(c) In the case of a BEC, contact your bank as soon as possible. Your bank should have a telephone number you can contact at any time for this purpose. Contacting your bank quickly will minimise the number of transactions that the scammer is able to complete.
(i) Your bank will block any cards relating to your accounts and issue you with replacements.
(ii) You will need to provide details of any transactions you believe to be fraudulent and your bank may refund the funds relating to any transactions they determine to be fraudulent. However, some banks will refuse to refund transactions if they determine that you have contributed to the loss.
3. Communicate promptly and transparently
As soon as you have identified the breach, ensure you comply with your legal obligations to inform affected parties. These parties may include your suppliers. Various laws govern minimum standards that differ depending on the type of organisation. If you are unsure of your obligations, seek legal advice.
(a) Reporting the cybercrime
Cybercrime attacks can be reported to the Australian government’s ReportCyber centre here, or directly to a police station. The Australian Competition and Consumer Commission (ACCC) can also receive reports of scams through its Scamwatch tool here.
(b) Notifiable data breaches: obligations under the Privacy Act
(i) Certain entities are subject to obligations under Part IIIC of the Privacy Act 1988 (Cth) (Privacy Act) regarding notifiable data breaches. Most small business operators including sole traders, body corporates, partnerships, unincorporated associations and trusts with an annual turnover less than $3,000,000 are exempt.
(ii) Relevant entities must undertake a “reasonable and expeditious assessment of whether there are reasonable grounds to believe that the relevant circumstances amount to an eligible data breach” within 30 days of the entity becoming aware of the breach.
(iii) An eligible data breach occurs when there is unauthorised access to, or unauthorised disclosure of, information leading a reasonable person to conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates (‘at risk’ individuals).
(iv) If there is an eligible data breach, the entity must provide a statement about the breach to the Commissioner and must notify ‘at risk’ individuals following the completion of the statement, subject to certain exceptions.
(c) Communications with stakeholders where the Privacy Act does not apply
(i) Where the Privacy Act does not apply, it may nevertheless be beneficial to provide clear and transparent information to all relevant stakeholders as soon as practicable, setting out the data that was compromised and details of how you intend to remedy the situation.
(ii) In the case of a BEC, it is important to contact the impersonated person or business so they can prevent any further BEC attempts. Provide a screenshot of the suspicious email, rather than forwarding it.
(d) Internal communications with employees
(i) Ensure that you also communicate effectively with your employees, particularly those who deal directly with customers. It is important that they can answer any questions asked of them, or be able to promptly refer such questions to those with authority to do so.
(ii) Ask your employees to report anything abnormal they may have noticed in relation to the business’ IT systems.
(iii) In the case of a BEC, the scammer may have made more than one BEC attempt in relation to your business. To minimise the risk of further damage, send around an email containing a screenshot of the BEC attempt and ask that staff members check for suspicious emails.
(e) Contact your insurer
(i) Some insurance policies will include cyber liability insurance. Cyber liability insurance typically covers the costs of repairing databases, strengthening security and replacing laptops. Additionally, cyber liability insurance may cover lost income as a result of the disruption and the costs of recovering from the attack.
(ii) Check your business insurance policy or call your insurer to determine your level of cyber liability insurance. Your insurer will advise you and/or your IT manager on the types of evidence you will need to submit in order to make a claim.
4. Monitor IT’s response and prepare for future attacks
(i) Your IT manager will lead the way here. The various tasks undertaken will depend on the type of business conducted and the specific data breach that occurred. Ask for regular updates in writing and discuss as appropriate with management and employees.
(ii) Consider improving your cybersecurity practices for your business. This may involve updating your anti-virus software, and educating staff about potential breaches. More information about protecting your IT systems can be found here.
(iii) Consider implementing the checklist created by the US Federal Trade Commission to assist your business to obtain the most appropriate cyber insurance, as recommended by the Australian government. The checklist is accessible here.
What can you do if you are notified that a client or customer has experienced a data breach?
1. Advise IT
(a) Contact your IT manager. They should have a plan in place for such events and are best placed to undertake the appropriate actions.
(b) Your IT manager can ensure that all anti-virus and other software is up to date, and will consult with the IT manager of the affected business to ensure they have as much accurate information as possible.
2. Contact your employees
(a) Alert your employees about the data breach or scam. If everyone is alert about the danger, you have a better chance of protecting your business.
(b) Consider advising your staff to change their passwords to complex passphrases containing multiple words as well as numbers and symbols.
Where to from here?
As with any business decision, it is important to take the particular features of your business and the surrounding circumstances into account when preparing and implementing a plan to respond to a data breach. Engage with your IT manager and notify the relevant parties as required. Unfortunately, data breaches are common; it is unlikely that yours is the only business to be affected. Once you have addressed the consequences of your data breach, you can use this opportunity to seek advice on how best to strengthen your IT systems against any further attac
 Lawrence A Gordon, Martin P Loeb and Lei Zhou, ‘ The impact of information security breaches: Has there been a downward shift in costs?’ (2011) 19 Journal of Computer Security 1 33.
 See Privacy Act 1988 (Cth) s 26WE(1) for specific requirements.
 Unless an exception applies to the type of organization (e.g. health service providers), see Privacy Act 1988 (Cth) s 6D.
 Privacy Act 1988 (Cth) s 26WH(2)(a), (b) & (c).
 Privacy Act 1988 (Cth) ss 26WG and 26WE(2)(a) & (d).
 Privacy Act 1988 (Cth) s 26WK(2).
 Privacy Act 1988 (Cth) s 26WL(2)(a) & (b).
 See eg, ss 26WD, 26WF, 26WJ, 26WM, 26WN, 26WP & 26WQ, noting that these exceptions do not apply where an APP entity is directed to notify an eligible data breach by the Commissioner (Subdivision C).