Opinion: The verdict is in: if you’ve been a victim of a ransomware attack, you will almost certainly be required to report the breach to the Privacy Commissioner and the people likely affected.
In what is the clearest guidance industry has been given on notification obligations in the event of a ransomware attack, this news came with the release of the Office of the Australian Information Commissioner’s January-June 2021 Notifiable Data Breach Report.
In this report, the OAIC states:
“It is insufficient for an entity to rely on the absence of evidence of access to or exfiltration of data to conclusively determine that an eligible data breach has not occurred.”
This statement seems to be plain commonsense when you consider the factors at play in a ransomware or data theft extortion incident: the depth and breadth of personal information held by most organisations in Australia in the digital age; the majority of ransomware attacks affect the majority of data held by a victim organisation; and, this type of breach is perpetrated by criminals seeking to do harm for profit. In these circumstances it would be exceptional to be able to demonstrate how such a breach would be unlikely to lead to a serious risk to individuals.
Although it may seem obvious at face value, clearly the OAIC has found the need to expressly state this fact and remove any doubt as to a loophole existing for organisations to avoid reporting to the regulator when they’ve been hit by ransomware.
To date, organisations may have been relying on a lack of evidence of exfiltration to justify not reporting a ransomware breach to the Privacy Commissioner and affected individuals. In such circumstances, organisations are most likely failing to understand that the threshold tests for determining whether a breach is reportable is based on ‘the more likely than not’ test – or to use a legal term, “on the balance of probabilities”.
So, if your organisation is the custodian of information that is likely to cause serious harm to individuals when it is likely to be in the possession of criminals, then your default starting position should be to report the breach – and typically you’ll have a hard time arguing otherwise.
We saw a strong suggestion that the regulator may have taken this position in relation to ransomware with the publication of the recent findings in the Determination against Uber.
While that incident occurred before the mandatory data breach notification scheme was in place, it was nonetheless made clear by the regulator that paying a ransom (even if disguised as a “bug bounty”) and getting written assurances from a threat actor that stolen data has been destroyed would not be enough to avoid notification obligations.
The regulator’s views on this matter again seem relentlessly commonsense: those that perpetrate ransomware, or who have criminal intent, are not to be trusted. And where such persons have accessed, or may have possession of, personal information that could be used to perpetrate serious harm, this serious harm is likely.
So, the question becomes: why would an organisation not want to report? The short answer is: fear.
Fear of litigation, fear of reputational damage, fear of regulatory action. This, coupled with instincts for self-preservation of key leaders and internal stakeholders often come into play in decision making around whether to report to the regulator.
This fear factor is completely understandable. However, by choosing not to report, organisations are playing a major gamble that only exacerbates all those risks, should the full nature of the breach ever become known, or worse, the cybercriminal publishes your data.
The realised risk for many organisations who report is in fact quite different. Swift action, transparency and a demonstrated commitment to reduce risk to individuals is far more likely to reduce your risk in the long term. The most severe regulatory action has invariably been in relation to those who sought to cover up a breach, or who were tardy in notifying. Remember: your data could turn up on the dark web at any time or, commonly, a whistle-blower may decide to clear their conscience.
The reality is that it is in no one’s interest – including the regulator – to punish those that move quickly, are transparent and genuinely act to protect those who may be affected by a breach. In fact, research by McKinsey and Company shows that reacting quickly to a data breach is the second greatest way to maintain trust when handling others’ personal information.
So, if you find yourself in the unfortunate position of being a victim of a ransomware attack, quick, transparent notification to the OAIC and individuals, and meaningful action to minimise harm to those affected, is your best bet to ensure you’ve met your regulatory obligations. As a bonus, you’ll also be meeting the expectations of your employees, your customers and the general public.
Do you know more? Contact James Riley via Email.