Cyber incidents continue to embarrass
No week goes by without news about data discovered on the dark web pointing to a data breach by an Australian organisation. Recent data breaches serve as a reminder of major cybersecurity risks such as social engineering1 and supply chain risks.2 Perhaps rare but topical is the risk of unprotected public websites and APIs connecting to a database without layer security or an authentication requirement;3 a rather critical oversight.
Australian businesses are being targeted by cyber criminals. Outsourcing, offshoring and digital transformation projects including the use of modern technologies such as artificial intelligence (AI) can give rise to information security risks which can be too great to handle even for well-resourced companies. Unfortunately, whenever a weakness in their defences is discovered by cyber criminals, Australian corporations suffer embarrassment in the press and in the boardroom.
Following data privacy reforms4 which increased civil penalties for privacy interference and reduced the trigger thresholds, we expect to see more enforcement action going forward. The regulator’s recent announcement about initiating civil penalty proceedings against Optus for its 2022 data breach,5 which was the third largest in Australia, signals movement on the regulators to-do list.
What information security is required by law?
Organisations must take such steps as are reasonable in the circumstances to protect personal information. Following the recent data privacy reform, such steps include an obligation to implement technical and organisational information security measures.
Admittedly, the Privacy Act 1988 (Cth) only says as much as three sentences about this (which are repeated for credit information), but the actual legal requirements are dictated by good industry practice, which is reflected in various technical standards, the Guide to securing personal information6 by the Office of the Australian Information Commissioner (OAIC) and other materials.
For example, supply chain information security risk is a complex area of compliance underpinned by complex risk mitigation practices. Some high-level compliance strategies to address supply chain risk could include, among others:
• Robust supply chain risk management framework that is operated by competent professionals with assigned responsibilities.
Click here to read the full insights.
Click here to learn more about our Melbourne, Victoria, Australia member firm KHQ Lawyers.