Trend Watch: What the top ten 2018 cybersecurity trends mean for your business

Mandatory data breach notification laws swept the globe

Recent developments

Since the first mandatory data breach notification laws were introduced to the United States in 2003,¹ their presence around the world has steadily increased. In 2018, we saw a suite of new mandatory data breach notification regimes introduced across the globe.

• The European Union introduced the most sweeping data protection law changes in the world when the General Data Protection Regulation (GDPR) came into effect on 25 May 2018. The GDPR enhances obligations to notify regulators and individuals of data breaches.² In 2018, we saw the first penalty issued under the GDPR³, however, we are yet to see an entity fined for a failure to comply with the data breach notification requirement.
• In Australia, the Notifiable Data Breaches (NDB) Scheme came into effect on 22 February 2018.⁴ Since the introduction of the NDB Scheme, 550 data breaches have been reported⁵, up from 114 reported in the 2016-17 financial year.⁶ We are yet to see enforcement action taken regarding failure to comply with the NDB Scheme.
• As of 1 July 2018, mandatory data breach notification regimes have been implemented in every US state, after Alabama and South Dakota passed legislation coming into effect on 1 June and 1 July 2018 respectively.⁷ In 2018, amendments were also made to data breach notification legislation in Oregon and Colorado.⁸
• With predictions that GDPR-inspired legislation will soon become the new normal, several governments, such as those in Singapore⁹ and Brazil¹⁰, have begun updating their data privacy regulations to keep pace with the GDPR.¹¹ Canada's Breach of Security Safeguards Regulations came into effect on 1 November 2018, updating existing mandatory breach notification laws.¹² Canada's Privacy Commissioner acknowledged 'the need to align the Regulations more closely with those breach reporting requirements of the GDPR' in an attempt to harmonise organisations' obligations

Supply chain attacks continued to make headlines

Breaches in 2018

In 2018, we saw many breaches that resulted from supply chain vulnerabilities, including:

• Saks Fifth Avenue and Lord & Taylor: The credit card details of more than five million customers were obtained after hackers took advantage of an unsecure point of sale system in-store.⁴
• Universal Music Group: Highly sensitive information was leaked after a contractor at Universal Music failed to secure an Apache Airflow server with a password.⁵
• PageUp: Around 120,000 people were affected after an unauthorised party gained access to the personally identifiable information of users of the PageUp platform. Customers impacted by the breach include the Commonwealth Bank, the ABC, and Australia Post.⁶
• Typeform: Hackers downloaded a partial back up of Typeform's customer data. Typeform's customers include a wide variety of organisations, such as jobs marketplace Airtasker, as well as the Tasmanian Electoral Commission.⁷
• APT10: Hackers linked to the Chinese Government accessed the records of some of the world's largest companies by targeting their managed service providers (MSPs). While officials have been reluctant to name these MSPs, news outlets have reported that IBM, Hewlett-Packard and SAP have all been affected.⁸

Securities and financial services regulators focused in on cyber security

Australia

ASIC has continued to draw attention to cyber security issues with Commissioner John Price recently acknowledging the need for boards to have a thorough understanding of the cybersecurity landscape as a fundamental aspect of every businesses risk management strategy.¹ In September 2018, ASIC released a report that reviewed Australian financial services (AFS) licensees' compliance with the breach reporting requirement in section 912D of the Corporations Act 2001 (Cth). ASIC was critical of AFS licensees, highlighting 'serious' and 'unacceptable' delays in the reporting of significant breaches.² ASIC Chair James Shipton noted that the regulator is 'actively considering enforcement action' concerning these failures to report breaches on time.³

APRA has also indicated that ensuring entities are able to respond effectively in the event of a cyberattack is a priority moving forward. On 7 November 2018, APRA released the final version of prudential standard CPS 234, the first prudential standard in Australia that specifically addressed information and cyber security. The new standard will take effect on 1 July 2019 and requires APRA-regulated entities to:

• 'clearly define information-security related roles and responsibilities;
• maintain an information security capability commensurate with the size and extent of threats to their information assets;
• implement controls to protect information assets and undertake regular testing and assurance of the effectiveness of controls; and
• promptly notify APRA of material information security incidents.'⁴

With CPS 234 coming into effect in 2019, and APRA's recent commitment to review its enforcement strategy following criticism from the Royal Commission, companies should prepare for APRA to adopt a tougher stance on enforcement.⁵ For more information on CPS 234, see our article New APRA Prudential Standard raises bar for information security obligations and incident notification requirements.

Regulators abroad are taking note

After creating a specialised Enforcement Division specifically tasked with investigating cybersecurity incidents in 2017,⁶ the Chairman of the US Security and Exchange Commission (the SEC),⁷ Jay Clayton, reiterated the management of cybersecurity risks would continue to be a priority for the SEC. Cybersecurity was identified as one of five priority areas for 2018 by the SEC's Office of Compliance Inspections and Examinations.⁸ The SEC also advised public companies to implement internal accounting controls that incorporate an approach to cyber threats in its Report of Investigation pursuant to s 21(a) of the Securities Exchange Act (the Report). The Report criticised companies for 'failing to identify red flags and train personnel', serving as a timely reminder that the SEC will not be sympathetic towards companies who have inadequate cybersecurity practices.⁹

The UK Financial Conduct Authority (the FCA) has continued to focus on cyber resilience as a key aspect of every company's risk management strategy.¹⁰ In 2018, Megan Butler (an Executive Director of Supervision at FCA) warned that the FCA 'will take action if they see inappropriate responses and inappropriate protection being taken'.¹¹ Butler spoke of 'serious vulnerabilities' existing around 'identification of key assets, information and detection'.¹²

Big fines for those who don't disclose

In April 2018, the SEC issued the first enforcement action since it updated its cybersecurity guidance in February 2018.¹³ After failing to disclose one of world's largest data breaches, Yahoo was forced to pay a US$35 million penalty to the SEC to avoid further action.¹⁴ The UK Information Commissioner's Office (the ICO) fined Yahoo UK £250,000 in respect of the same breach for delayed disclosure to investors, and for Yahoo's inadequate approach to safeguarding data. For more on this, see Yahoo continues to pay the price for its 2014 data breach.

The FCA also demonstrated its intolerance for inadequate cybersecurity practices, fining Tesco Bank £16.4 million in October 2018 for a cyberattack suffered in November 2016; a fine that would have been much higher if it weren't for Tesco's cooperation and implementation of a 'comprehensive redress program' following the attack.¹⁵ Mark Steward, Executive Director of Enforcement and Market Oversight at the FCA spoke of the attack as one which involved a failure to 'protect customers from foreseeable risks'¹⁶. Steward emphasised the importance of adopting a proactive, rather than reactive, approach to cyber security.

Increased focus by both hackers and regulators on critical infrastructure

Initial reporting

Entities regulated by Australia's Security of Critical Infrastructure Act 2018 (Cth) should also be aware that their initial reports were due by 11 January 2019. For more information on the reporting requirements under the Act, see Client Update: New reporting requirements for critical infrastructure. For more information on the critical infrastructure threat landscape, see One click from meltdown – cyber-attacks on critical infrastructure.

Attacks on critical infrastructure

In 2018, we saw a significant number of attacks on critical infrastructure globally. In response, various governments also took steps to regulate critical infrastructure sectors to bolster their security and enhance information sharing capabilities.

• Russian attacks on US power grid. In July, the Department of Homeland Security confirmed Russia's military intelligence had accessed the infrastructure of power plants throughout the US since mid-2017.² Hackers reportedly gained access through 'spearphishing' emails targeted at 'ill-protected' contractors.³
• China hacks the Australian National University (ANU). In July, it was reported that Chinese hackers gained access to IT systems at ANU.⁴ ANU maintains that no information was compromised. However, the university was accused of being so 'woefully unprepared' for such an attack that 'it wouldn't know if any data had been stolen'.⁵
• Ukraine Chlorine Plant attack. In July, the Security Service of Ukraine announced that Russian malware made it into a Ukrainian chlorine station, which provides chlorine for the treatment of water and sewage across the country.⁶ Ukrainian cyber security specialists were able to quickly identify and address the problem, preventing a significant breakdown of technological process.

Government call outs

Interestingly, we also saw governments increasingly engage in deliberate and coordinated campaigns to call out these attacks.

• The US imposed sanctions on the Russian military intelligence (the GRU) in 2018 for 'attempted interference in the 2016 US election and cyber attacks'⁷. The US Treasury also stated in March 2018 that the GRU 'knowingly engages in activities that undermine cybersecurity on behalf of the Russian government'.⁸
• In April 2018, the US, UK and Australia issued a coordinated announcement that accused the Kremlin of a 'malicious internet offensive' in 2017 that targeted 'government institutions, private sector organisations and infrastructure'.⁹
• In April 2018, the UK National Cybersecurity Centre warned telecoms of the 'potential risks to national security' if they were to deal with Chinese company ZTE.¹⁰
• In December 2018, the Western Five Eyes Allies condemned China for cyber intrusions of managed service providers perpetrated by APT10. The rebuke came within hours of the US charging two Chinese nationals for hacking various American government agencies and corporations. In Australia, Foreign Affairs Minister Marise Payne and Home Affairs Minister Peter Dutton on Friday issued a strongly-worded joint statement similarly condemning China.¹¹

Regulatory responses

• Australia: The Security of Critical Infrastructure Act 2018 (Cth) took effect on 11 July 2018. The legislation creates a critical assets register, and gives the Minister of Home Affairs a 'last resort' power to direct an owner or operator of a critical infrastructure asset to mitigate national security risks. Australia has also banned Chinese telecoms Huawei and ZTE from providing 5G technology to Australian mobile phone operators, citing 'national security risks'.¹²
• US: In September, the Trump White House authorised 'offensive cyber operations against US adversaries'.¹³ The strategy allows 'military and other agencies to undertake cyber operations intended to protect their systems and the nation's critical networks'¹⁴. In late 2017, the National Infrastructure Advisory Council released its final report, Securing cyber assets: Addressing urgent cyber threats to critical infrastructure, which contained 11 recommendations on how to best protect critical infrastructure assets.
• UK: The Joint Committee on National Security Strategy is urging the UK Government to appoint a Cyber Security Minister, in light of growing cyber security threats. The Joint Committee has labelled the current ministerial oversight as 'wholly inadequate' to deal with the emerging threat of attacks on critical infrastructure.¹⁵
• Singapore: Singapore recently introduced a new Cybersecurity Act, requiring owners of designated 'critical information infrastructures' to report cybersecurity incidents to the Singapore Cyber Security Agency.¹⁶ These laws also mandate that owners of relevant assets conduct regular assessments of any cybersecurity vulnerabilities.

Increased global cooperation on cyber security

Global developments

Recent examples of global cooperation include:

• On 17 April 2018, Microsoft, Facebook and 320 other global technology companies announced a joint pledge known as the Cybersecurity Tech Accord, to 'establish new formal and informal partnerships within the industry and with security researchers to share threats and coordinate vulnerability disclosures'.¹
• In July 2018, the UK and French Governments announced a deal to 'bolster the development and implementation of fast-moving technologies like Artificial Intelligence' and to collaborate on cyber security more broadly.²
• On 22 October 2018, military officials from the US and UK, alongside tech industry executives, signed an accord 'committing to the countries to cooperate on cybersecurity and artificial intelligence'.³
• In November 2018, officials from Israel and Japan signed an accord to 'cooperate in research and development, information exchange, and training programs in the field of cyber security'.⁴
• Australia, Britain, Canada, New Zealand and the United States, forming the Five Eyes alliance, are increasing cooperation on the issue of 'foreign interference'. Discussions to date have focused primarily on interference by China and Russia.⁵
• Locally, following the Council of Australian Governments meeting on 12 December 2018, Australian governments at the federal, state and territory level announced a commitment to 'better coordinate responses to cyber-attacks'.⁶

Organisations continued to be held hostage by ransomware

Ransomware cost victims dearly

After dominating headlines in 2017 with the likes of NotPetya and WannaCry, ransomware attacks continued to wreak havoc in 2018, remaining at the top of Europol's malware threat list.¹

SamSam ransomware attacks targeted a number of organisations (predominantly in the US), such as the City of Atlanta.² Atlanta spent $2.6 million, in addition to the $52,000 worth of Bitcoin demanded, to recover from the attack.³

Expert Chris Boyd⁴ advised victims of a ransomware attack not to pay the ransom because it 'encourages scammers to continue with their profitable business model'⁵. In certain circumstances, paying ransom may even amount to a contravention of US sanctions.⁶ This revelation comes after the cryptocurrency addresses of two individuals involved in converting the ransomware payment into fiat currency were publicly identified and placed on the Specially Designated Nationals and Blocked Persons List.⁷

In the last weekend of 2018, a ransomware attack disrupted printing operations at several major US newspapers, after malware affected systems used by Tribune Publishing.⁸

Data breaches were disproportionately common and severe in the health sector

High numbers of breaches

The healthcare sector has become a popular target in recent times. The substantial amount of personally identifiable information contained within health records, makes them 'up to 10 times more valuable'.¹

Since the introduction of the NDB Scheme in Australia, the private health sector has continued to report the highest number of data breaches. Since the scheme came into effect, the sector has reported a total of 109 breaches and was the only one with a higher rate of reported breaches attributable to human internal factors, such as employee carelessness or misbehaviour, than to external threats.² The figures in the OAIC's Quarterly Reports exclude any incidents involving the MyHealth Record system. The Australian Digital Health Agency annual report identifies 42 data breaches in relation to the MyHealth Record system³ in 2017-18, though none were malicious attacks.

Data breaches in the health sector are not unique to Australia. Globally, health information is a 'lucrative target' for hackers⁴, and we have seen a number of ransomware attacks and class actions that resulted in substantial costs to health service providers.

• A number of US hospitals suffered ransomware attacks in 2018. In January, an Indiana hospital was forced to pay US$55,000 in bitcoin in exchange for the decryption key after a ransomware attack.⁵ In late November, two hospitals in Ohio suffered similar attacks that prevented them from accepting patients from emergency service transports.⁶
• In July 2018, CarePartners in Ontario, Canada, announced thousands of patient records were being held for ransom.⁷

The costs

Apart from the legal risks involved in these data breaches, there are significant financial and reputational ramifications for affected businesses. These include impacts on the level of trust in the underlying patient relationship, the continuing health of patients, the organisation's reputation and regulatory fines or litigation costs.

In addition to the regulatory fines imposed by the US Department of Health and Human Services' Office for Civil Rights, there have been a large number of class actions brought in the US in relation to health sector data breaches. In October 2018, the Office for Civil Rights announced a $16 million settlement with health insurer Anthem Inc. for a 2015 data breach, the largest reported health data breach in US history.⁸ This is the largest settlement paid to the Office for Civil Rights and follows a 2017 class action which recovered $115 million.⁹ To help providers confront this costly threat, the Department of Health and Human Services recently released a voluntary guide detailing security measures healthcare organisations should adopt.

In 2018, health firms globally lost 6.7 per cent of their customers following a data breach – the highest of any industry.¹⁰ A study published in the American Journal of Managed Care has also found that data breaches at US hospitals are associated with a 64 per cent increase in annual advertising expenditures. On average, hospitals that suffered a data breach spent US$1.15 million more on advertising than those that did not in the two years following the breach.¹¹

Mandatory notification laws increased the threat of data breach class actions

Class actions on the rise

Class actions arising out of data breaches have been common in the US for some time, however, in Australia they largely remain unchartered territory. Since the introduction of the NDB Scheme, we have seen a few class actions commenced or threatened in Australia. It remains to be seen how successful these actions will be, in the absence of an actionable right to privacy in Australia.

• Centennial Lawyers filed a class action in relation to a data breach of NSW Ambulance's IT systems, in which the personal information of employees and contractors was leaked.¹
• Centennial Lawyers is also taking expressions of interest from persons who may have been affected by the PageUp data breach in May this year.²
• IMF Bentham lodged a complaint against Facebook with the OAIC for alleged breaches of the Privacy Act 1988 (Cth) and APPs. The complaint is based on Cambridge Analytica's unauthorised access, retrieval and use of millions of Facebook users' data.³

In the Digital Platforms Inquiry Preliminary Report released on 10 December 2018, the ACCC supported the introduction of an individual right for consumers to bring claims for breaches of the Privacy Act concerning their information. The ACCC recommended that individuals should be able to recover for financial and non-financial harm suffered as a consequence of a breach of the Privacy Act and the APPs. Watch this space.

In the EU, we have seen the number of data breach class actions steadily increasing following the introduction of the GDPR, which allows persons to recover for non-material damage suffered as a result of a data breach.⁴ These damages compensate an individual for 'inconvenience, distress and annoyance' attributable to data breaches.⁵

• In September, SPG Law commenced a £500 million class action proceeding against British Airways after it was revealed in September that the personal data of 380,000 customers was compromised.⁶
• In October, Morrisons was held vicariously liable for the actions of a rogue employee who published the personal information of almost 100,000 employees. While Morrisons has stated its intention to appeal the decision, this serves as a reminder that 'organisations cannot be complacent about data protections'.⁷

Companies' cyber security practices are coming under increased scrutiny from investors and consumers, giving them another reason to put cyber security at the top of their priority lists.

Data breaches shone a light on inadequate and unethical data handling practices

Significant reputational risks

The following two cases reveal the potential for inadequate data handling to inflict significant reputational damage, even where there is doubt over whether privacy law was in fact breached.

• HealthEngine: In June 2018, the ABC revealed that HealthEngine had been sharing patient information with law firm Slater and Gordon, on the basis it obtained express consent.¹ Irrespective of whether HealthEngine was in breach of privacy law, these practices were out of step with consumer expectations and perceived as inadequate and unethical. The scandal attracted significant negative media attention. Just nine days later the company announced that it had changed its business model to ameliorate concerns about its handling of user data.²
• Facebook-Cambridge Analytica: In early 2018, it was revealed that Cambridge Analytica had been harvesting personal data en masse from Facebook and using it for political purposes. Christopher Wylie, the whistle-blower at Cambridge Analytica, claims Facebook knew that data was being improperly pulled as early as 2015 and did nothing.³ While Facebook was fined £500,000 in the UK by the ICO,⁴ the company also suffered significant reputational damage with user growth slowing and its market capitalisation dropping by US$119 billion.⁵ Facebook is also facing possible class action law suits in Australia,⁶ the UK and the US.⁷

Phishing scams caught bigger fish

Phishing

In Australia, the number of phishing attacks rose in the third quarter of 2018, where the OAIC reported phishing attacks comprised 50 per cent of malicious or criminal attacks.¹ This was up from 29 per cent in the second quarter.²

Examples of recent phishing attacks include:

• Airbnb: Early in 2018, hackers impersonating Airbnb warned hosts they would be unable to accept any further bookings until a new privacy policy was accepted and subsequently asked them to enter their personal information.³ This scam took advantage of the fact that many companies were contacting customers about updated privacy policies before the introduction of the GDPR.
• Tax scams: Tax time is popular for phishing attacks, and 2018 was no different. In Australia, hackers impersonating the ATO have been calling individuals alleging fraud against the ATO. Queensland Police Financial and Cyber Crimes Group Detective Inspector Melissa Anderson has advised that government officers ordinarily do not make such calls.⁴ The International Revenue Service has also warned of tax scams in a number of US states.⁵

BEC

BEC scams involve hacking or social engineering to deceive employees into transferring sensitive information or money to the scammer. Less sophisticated scammers employ 'domain squatting', a process whereby the scammer purchasers a domain that looks similar to the domain used by the target company (eg CEO@company.com.au vs CEO@c0mpany.com.au).⁶ More sophisticated attackers infect the computers of the target company to take over the legitimate emails of high level executives, making false emails all the more difficult to spot.

Frequently, lower-level employees are the target of these attacks. While BEC scams can be difficult to identify, companies can reduce the likelihood of falling victim to such an attack by implementing training programs for employees and fostering a culture of cyber awareness.

Between October 2013 and May 2018, BEC scams cost businesses around the world more than US$12.5 billion.⁷ In 2018, a group referred to as 'London Blue' generated a list of 50,000 executives to use as targets for their schemes.⁸ The scam was discovered after the CFO of a company was the recipient of false email purporting to be from the CEO.⁹

BEC scams are predicted to be an increasingly popular method of attack in 2019, especially against targets that fail to adequately educate employees and do not use multi-factor authorisation.¹⁰