{"id":291715,"date":"2021-08-30T07:47:34","date_gmt":"2021-08-30T07:47:34","guid":{"rendered":"https:\/\/www.innovationaus.com\/?p=21937"},"modified":"2021-08-30T07:47:34","modified_gmt":"2021-08-30T07:47:34","slug":"hit-by-ransomware-you-really-need-to-report-it","status":"publish","type":"post","link":"https:\/\/radiofree.asia\/2021\/08\/30\/hit-by-ransomware-you-really-need-to-report-it\/","title":{"rendered":"Hit by ransomware? You really need to report it"},"content":{"rendered":"

Opinion:<\/strong> The verdict is in: if you\u2019ve been a victim of a ransomware attack<\/a>, you will almost certainly be required to report the breach to the Privacy Commissioner and the people likely affected.<\/p>\n

In what is the clearest guidance industry has been given on notification obligations in the event of a ransomware attack, this news came with the release of the Office of the Australian Information Commissioner\u2019s\u00a0January-June 2021 Notifiable Data Breach Report<\/a>.<\/p>\n

\"\"
The Privacy Commissioner recently said ransomware’s rise was concerning. Credit: Shutterstock\/Andrey_Popov<\/figcaption><\/figure>\n

In this report, the OAIC states:<\/p>\n

\u201cIt is insufficient for an entity to rely on the absence of evidence of access to or exfiltration of data to conclusively determine that an eligible data breach has not occurred.\u201d<\/p><\/blockquote>\n

This statement seems to be plain commonsense when you consider the factors at play in a ransomware or data theft extortion incident: the depth and breadth of personal information held by most organisations in Australia in the digital age; the majority of ransomware attacks affect the majority of data held by a victim organisation; and, this type of breach is perpetrated by criminals seeking to do harm for profit. In these circumstances it would be exceptional to be able to demonstrate how such a breach would be unlikely to lead to a serious risk to individuals.<\/p>\n

Although it may seem obvious at face value, clearly the OAIC has found the need to expressly state this fact and remove any doubt as to a loophole existing for organisations to avoid reporting to the regulator when they\u2019ve been hit by ransomware.<\/p>\n

To date, organisations may have been relying on a lack of evidence of exfiltration to justify not reporting a ransomware breach to the Privacy Commissioner and affected individuals. In such circumstances, organisations are most likely failing to understand that the threshold tests for determining whether a breach is reportable is based on \u2018the more likely than not\u2019 test \u2013 or to use a legal term, “on the balance of probabilities”.<\/p>\n

So, if your organisation is the custodian of information that is likely to cause serious harm to individuals when it is likely to be in the possession of criminals, then your default starting position should be to report the breach \u2013 and typically you\u2019ll have a hard time arguing otherwise.<\/p>\n

We saw a strong suggestion that the regulator may have taken this position in relation to ransomware with the publication of the recent findings in the\u00a0Determination against Uber<\/a>.<\/p>\n

While that incident occurred before the\u00a0mandatory data breach notification scheme<\/a>\u00a0was in place, it was nonetheless made clear by the regulator that paying a ransom (even if disguised as a\u00a0“bug bounty”<\/a>) and getting written assurances from a threat actor that stolen data has been destroyed would not be enough to avoid notification obligations.<\/p>\n

The regulator\u2019s views on this matter again seem relentlessly commonsense: those that perpetrate ransomware, or who have criminal intent, are not to be trusted. And where such persons have accessed, or may have possession of, personal information that could be used to perpetrate serious harm, this serious harm is likely.<\/p>\n

So, the question becomes: why would an organisation not want to report?\u00a0The short answer is: fear.<\/p>\n

Fear of litigation, fear of reputational damage, fear of regulatory action. This, coupled with instincts for self-preservation of key leaders and internal stakeholders often come into play in decision making around whether to report to the regulator.<\/p>\n

This fear factor is completely understandable. However, by choosing not to report, organisations are playing a major gamble that only exacerbates all those risks, should the full nature of the breach ever become known, or worse, the cybercriminal publishes your data.<\/p>\n

The realised risk for many organisations who report is in fact quite different.\u00a0Swift action, transparency and a demonstrated commitment to reduce risk to individuals is far more likely to reduce your risk in the long term.\u00a0The most severe regulatory action has invariably been in relation to those who sought to cover up a breach, or who were tardy in notifying.\u00a0Remember: your data could turn up on the dark web at any time or, commonly, a whistle-blower may decide to clear their conscience.<\/p>\n

The reality is that it is in no one\u2019s interest \u2013 including the regulator \u2013 to punish those that move quickly, are transparent and genuinely act to protect those who may be affected by a breach.\u00a0In fact, research by\u00a0McKinsey and Company<\/a>\u00a0shows that reacting quickly to a data breach is the second greatest way to maintain trust when handling others\u2019 personal information.<\/p>\n

So, if you find yourself in the unfortunate position of being a victim of a ransomware attack, quick, transparent notification to the OAIC and individuals, and meaningful action to minimise harm to those affected, is your best bet to ensure you\u2019ve met your regulatory obligations. As a bonus, you\u2019ll also be meeting the expectations of your employees, your customers and the general public.<\/p>\n

David Batch<\/a> is national privacy lead at cyber security firm CyberCX.<\/a> This article was republished<\/a> with permission.<\/em><\/p>\n

The post Hit by ransomware? You really need to report it<\/a> appeared first on InnovationAus<\/a>.<\/p>\n\n

This post was originally published on InnovationAus<\/a>. <\/p>","protected":false},"excerpt":{"rendered":"

Opinion: The verdict is in: if you\u2019ve been a victim of a ransomware attack, you will almost certainly be required to report the breach to the Privacy Commissioner and the people likely affected. In what is the clearest guidance industry has been given on notification obligations in the event of a ransomware attack, this news…<\/p>\n

The post Hit by ransomware? You really need to report it<\/a> appeared first on InnovationAus<\/a>.<\/p>\n","protected":false},"author":7505,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[15058,1929,1921,1892,22787,8734],"tags":[],"_links":{"self":[{"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/posts\/291715"}],"collection":[{"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/users\/7505"}],"replies":[{"embeddable":true,"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/comments?post=291715"}],"version-history":[{"count":1,"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/posts\/291715\/revisions"}],"predecessor-version":[{"id":291716,"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/posts\/291715\/revisions\/291716"}],"wp:attachment":[{"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/media?parent=291715"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/categories?post=291715"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/radiofree.asia\/wp-json\/wp\/v2\/tags?post=291715"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}