15 April 2018

Cyber Breaches and Notices – are you aware of the threats?

The World Economic Forum Global Risks Report 2018 names cyber security as one of its top areas of concern: Breaches are increasing, more than doubling over the past five years. Ransomware is on the rise. Critical infrastructure is being targeted by cyber-attacks. The trends for businesses to move to the cloud, more ‘smart’ activity with Smart Cities, Smart Workplaces and Smart Homes – all open up a whole new world of risk. In this issue we look at what you need to do if you have a breach:

Breach Notification Summary

European Union

  • There is a notice requirement for data breaches in Article 33 of the General Data Protection Regulation, which will go into effect on May 25th 2018:  If there is a personal data breach the controller shall, within 72 hours, notify the personal data breach to the supervisory authority, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it must be accompanied by reasons for the delay.  Failure to notify as required will attract fines.


  • The Privacy Amendment (Notifiable Data Breaches) Act 2017, effective from February 22nd 2018, applies to all organisations with existing personal information security obligations under the Australian Privacy Act 1988.
  • If an organisation suspects a data breach may have occurred, it must expeditiously assess if the breach is likely to result in serious harm to any affected individual.
  • The Act introduced an obligation to promptly notify individuals whose personal information is subject to a data breach likely to result in serious harm (known as an eligible data breach), as well as the Australian Information Commissioner.
  • The notification statement must be provided as soon as practicable after the entity becomes aware of the breach, and must include the following information:
  1. Organisation contact details,
  2.  description of the data breach,
  3. c. The type of information concerned, and
  4. d. Recommendations about the steps individuals should take in response to the breach.

This notice requirement applies to Government agencies, businesses and not-for-profits with an annual turnover of $3 million or more, amongst others.


  • There is currently no notice requirement for reporting data breaches in Canada. However, the Digital Privacy Act 2015 amended the Personal Information Protection and Electronic Documents Act (PIPEDA) in order to create such a notice requirement, the provision for which is expected to come into force in late 2018.
  • The notice requirement is outlined in section 10.1 and 10.2 of PIPEDA, and, once in force, will mandate the following notice actions be taken in the event that a breach creates a real risk of significant harm to an individual:
  1. A report to the Office of the Privacy Commissioner of Canada,
  2. A notice to the affected individuals, and
  3. A notice to other relevant organisations.
  • The notice must include a description of the circumstances of the breach, a description of the personal information subject to the breach, and a contact number/email at which the individual can obtain further information. The notice must be given as soon as feasible after the organisation determines that the breach has occurred, and failure to comply could result in fines of up to $100,000.

New Zealand

  • There is currently no obligation to report data breaches in New Zealand, but the Government has indicated that a mandatory requirement is going to be a part of the changes made in the new Privacy Bill.
  • The Privacy Bill requires organisations to report notifiable privacy breaches (defined as those breaches which pose a risk of harm) to both the Commissioner and the affected individuals as soon as is practicable.
  • A notification must include a description of the breach (number & identity of affected individuals) and explain the steps taken or intended to be taken in response to it


  • Currently all 50 states, including the District of Columbia, have notification laws requiring affected individuals to be notified immediately after discovery of an information security breach.
  • Such notifications are required in breaches involving a resident’s name plus a sensitive data element, typically a social security number, government ID number, or credit card or financial account number.  In a growing minority of states, sensitive data elements have been expanded to include health insurance numbers, biometric data, and medical and login information.
  • There is no national data breach notification requirement, however US Federal law requires notification in case of specific breaches, including:
  1. Health care information,
  2. Breaches of information from financial institutions,
  3. Breaches of telecom usage information held by telecomm services, and
  4. Breaches of government agency information.

Singapore, Japan and South Korea

  • None of these jurisdictions have a legal requirement to report data breaches to either the individual affected or to the relevant regulator.  However, guidelines in all of these jurisdictions indicate that such reporting is considered to be good practice

Breaches – what should you be thinking about?

In the Data Breach Investigations Report published on April 10th 2018, we learnt that there were over 53,000 breaches globally in the last 12 months, covering 65 countries. Interestingly only 76% of breaches are motivated by financial gain, so nearly a ¼ are for other reasons.

Organised crime is said to be behind half of all breaches, and a further 12% are state sponsored.  28% of breaches are from within the organisation.

4% of people will always clink on a link regardless of the warnings – so phishing attacks do work.

For those engaged in information services the most common problem is from web application attacks.  With the biggest threat being denial of service attacks accounting for 56% of reported incidents.

In manufacturing the biggest risks are targeted attached, and almost 47% of breaches are to steal intellectual property.

Most worryingly is that 69% of attacks go un-noticed for months. Most typically a third party alerts you to the breach.

The top take away is the importance of educating your people to be alert and spot issues.  Everyone needs to understand that data is valuable and it needs to be secured, and sensitive data even more so.