Cyber attacks have become common place across the business landscape in the last decade and with recent attacks focused on Australia, one leading law firm has released its advice on what to do after a data breach.
With high profile cases across the United States, and the hacking of Aussie Travel Cover earlier this year
, no industry in Australia is safe.
While you may be adept at selling cyber insurance coverage, do you know what to do in the event of a hack on your own systems as well as those of your clients?
Wotton & Kearney partner, Patrick Boardman, stressed that 2015 could be a major year of online disruption.
“Since the start of 2015 there have been 2 serious hacking attacks in the US and Australia. It is currently understood that up to 80 million records held by the US health insurer, Anthem, and up to 770,000 records held by Australian travel insurer, Aussie Travel Cover, were compromised in the attacks.
“If these hacking attacks are an early indication of the things to come, 2015 could be a very bad year for mass data breaches around the world and in Australia.”
In a four step guide for all industries, Boardman revealed the key things that companies that have suffered a data breach must do in the aftermath:
1) Contain the breach
Boardman stressed that once an attack has been detected, it is “vital” that it be contained.
“The appropriate response to the breach will depend on the nature of the attack and the data that has been compromised, which may include shutting down any affected servers or accounts.”
Businesses that have come under attack should conduct a preliminary assessment of the attack and then take the steps necessary to limit the breach and find out what data has actually been compromised.
2) Understand the breach
In the early stages of any cyber attack it is important to understand what data has actually been compromised and the scale of the breach you have been subjected to.
Boardman stressed that finding the cause of the data breach is also integral as well as what damage the breach could have caused to those whose data has been accessed.
“The information gathered will impact on how the company deals with the attack.
"If the attack has only compromised a limited number of encrypted files the response will differ considerably from an attack that has compromised a large number of unencrypted documents that can: facilitate identity theft, cause direct or indirect financial loss, or cause serious reputational damage,” Boardman writes.
3) Notify third parties
One aspect of Australian, and indeed global, privacy law could be subject to change regards the decision to notify those involved in the hack, as Boardman stresses: “…There are no mandatory notification requirements, but each case should be considered on its own merit.”
Boardman recommends letting third parties know if there is a serious risk of physical, psychological or financial harm, and a serious reputational risk for the company.
Also, if the failure to notify could lead to “separate causes of action against the company for breach of conduct, negligence, or breach of statutory or fiduciary duty.”
Boardman also recommends consulting with legal counsel before any notification is made to ensure that the notification details necessary topics.
“Due to the likely criminal nature of the attack, the breach should be reported to the Federal Police. If the breach is extensive it may also be appropriate to notify the Australian Information Commissioner (OAIC). In some circumstances OAIC may be able to provide further guidance and assistance to the affected company and 3rd parties."
The final step is also one of the most important as companies should look at what went wrong with their breach and how to stop those in future.
“Once immediate action has been taken to stop the breach, the company should fully investigate the attack with the view of preventing similar future breaches.
“The affected company should also create or update its breach response plan by drawing on the lessons learnt from the attack.”