Two months until Data Breach Laws take effect and breaches in the news: Is your school ready?
Recent devastating privacy breaches in the United States serve as a timely reminder for schools about the importance of practicing privacy every day and also being ready for compliance with the Notifiable Data Breach (NDB) Scheme amendments to the Privacy Act 1988 (Cth) taking effect in February 2018. The Uber and Equifax incidents also raise important issues about privacy and cyber security and the circumstances of each case should be understood by schools.
What is cyber security?
Cyber security refers to the body of technologies, processes and practices employed in a school which are designed to protect networks, devices, programs and data from attack, damage or unauthorised access. Cyber security measures are generally designed to protect schools from cyber risks, including:
- malware – software which is specifically designed to disrupt, damage or gain unauthorised access to a computer system
- phishing/ransomware – a computer virus which blocks access to, or encrypts, a victim’s data, demanding that a ransom be paid to restore access
- denial of service attacks – preventing legitimate users from accessing targeted computer systems, devices or other network resources
- human error – especially including inappropriate employee or student behaviour
- compromised systems – referring to breaking into a network in any form without authorisation.
A recent ACCC report has suggested that a cyber security attack can cost between one and five thousand dollars, with much of the money being unrecoverable after the event. Of even greater significance is the reputational damage (as the examples of breaches by Uber and Equifax show) which can be sustained that can affect current and future student enrolments. It is more important than ever for a school to develop cyber security processes early which enable them to be a cyber resilient school.
The issue of cyber resilience is often delegated to IT teams or outsourced to external providers. However, as indicated in ASIC Report 555 Cyber resilience of firms in Australia’s financial markets, managing cyber resilience is very much a governance issue, for a school board, to be managed through strong corporate governance principles. Developing an overall governance framework, which includes procedures to identify, protect, detect, respond and recover from cyberattacks will assist any school to lay solid foundations as part of a robust cyber resilience program.
What happened to Uber and Equifax?
Uber is a ridesharing company that connects drivers and passengers through a smartphone app. The Uber breach took place in late 2016, when two hackers accessed its user data stored on a third party cloud-based service. Upon being alerted to the issue, rather than notify authorities and consumers impacted, Uber paid the hackers $100,000 USD to delete the data and keep silent regarding the attack. It is not hard to see why they would be reluctant to disclose such a breach. At the time of the attack, Uber was the subject of various negotiations with US regulators who were investigating separate privacy claims, as well as settling a lawsuit with the New York Attorney-General and the Federal Trade Commission over data security disclosures and the handling of consumer data.
The Office of the Australian Information Commissioner (OAIC) has commenced inquiries with Uber regarding the impact of the breach in Australia, and this comes hot on the heels of a similar breach involving Equifax (formerly known in Australia as Veda), an international credit reporting body who also operates heavily in the Australian credit market. Earlier this year, its American office announced that hackers had gained unauthorised access to their company data, potentially compromising the personal information of 143 million American consumers including their social security numbers and drivers licence numbers. Whilst the breach took place in America, Equifax may have transferred personal information between its American office and its wholly owned subsidiary Equifax (Australia), bringing with it the possibility of breaches of Australia’s privacy laws. The breach was reported some time after the event with the incident taking place in June, identification of the breach in July, but reporting to the market not occuring until September 2017.
But these are not the only ramifications for Uber and Equifax with the media now questioning the reputations of both companies and their ability to handle personal data. Reputational risk is also one of the main concerns of school boards as independent schools rely on their reputation to ensure financial viability and growth in enrolments. A major incident which indicates a failure to handle students’ personal data can impact on a school’s future financial viability and enrolment growth.
Notifying data breaches and privacy concerns
As stated in our previous article, the OAIC’s Mandatory Notifiable Data Breach Regime (NDBR), which comes into force on 22 February 2018, prevents schools from concealing breaches if the breach is considered to result in serious harm to the affected person(s). Pre-NDBR, businesses were not under a legal obligation to disclose the breach to the regulator or the affected person(s), although it was clearly seen as a black mark against their reputation.
The introduction of the NDBR is something that schools need to take seriously. There will be no time to wait and ‘test the water’ before making any changes to existing policies and procedures. After 22 February 2018, significant monetary penalties for failing to comply with the new legislation will apply. Schools should be looking to update their privacy content now in preparation for the beginning of the NDBR, and should also look closely at their cyber security policies to prevent any data breaches from occurring in the future.
In May 2017, CompliSpace published the briefing paper Privacy Update: Mandatory Notification of Data Breaches. This Briefing Paper summarised the new mandatory NDBR requirements under the Privacy Act 1988 (Cth). CompliSpace also produced a follow up Briefing Paper in October 2017: Privacy update: Mandatory Notification of Data Breaches & Complaints Handling Update. The second Briefing Paper explains why your school must comply with the NDBR amendments, including a practical checklist to prepare for the changes.
How can you minimise the impact of cyber risks at your school?
Cyber security is a school-wide problem which requires strategic and operational leadership from the top down. Schools also have a duty of care to their students to protect them virtually and in person from cyber risk when online on school premises. Safeguarding students from online risks is a crucial component of a school’s cyber risk management program and also a crucial component of a school’s reputation management in the wider school community.
With students being digital natives in our current cyber age, it is more important than ever that schools safeguard their students against any unintended consequences of their online activity. The cases of Uber and Equifax only highlight the justification for schools to allocate resources to systems and procedures to protect their data and themselves from any significant liabilities. It is also worth pointing out that policies introduced to directly address cyber security and privacy will also overlap with other areas of school governance, including duty of care policies such as:
- Cyber bullying
- Image based abuse
- Social media and BYOD usage policies.
Lauren Osbich is a Legal Research Consultant and School Governance reporter. She can be contacted here.