Lawyers and insurers set for data breach payday
Australia's mandatory data breach notification laws come into force in February 2018. Europe's General Data Protection Regulation (GDPR), which also requires breach notification, becomes law in May 2018. Brexit or not, the UK will also have to comply.
"[GSPR] will continue to apply to all businesses exporting goods or services into the European Single Market, regardless of any future legal and regulatory settlement reached by the UK with the EU," wrote Peter Wright, managing director of DigitalLawUK, and chair of the UK Law Society's Technology and Law Reference Group.
Latest Australian news
So where are we all up to here?
My reading is that we only have hints as to what's required, and that we won't really know until the lawyers get to work.
Wright has some security advice for UK law firms that really should be standard practice everywhere.
"Make sure that whatever medium you are using to either store or transmit personal data -- in particular, data relating to your clients -- is secure and encrypted," he wrote.
Wright warns against "free cloud-based systems like Dropbox or Google Drive to communicate with clients or receive confidential data" because they're not encrypted, but that's no longer the case. Both Dropbox and Google Drive now encrypt customer data at rest, as does Apple's iCloud.
But Wright's general point about using unencrypted file sharing services stands. "You are effectively in legal and regulatory breach by using them for client-related activity as their servers are based in the cloud and most likely in the United States," he wrote. And of course encrypted file storage is irrelevant if a user's credentials are compromised through a phish.
Wright's final observation is, to my mind, the most frightening.
"If firms have already not begun work on achieving compliance with the GPDR, they will find it impossible to achieve full compliance by May 2018. At this point, it's a matter of working out how uncompliant you wish to be. You will have to cherry pick what you can and cannot afford to comply with, and put the rest in place as quickly as possible," he wrote.
UK and European organisations still have an entire year to get compliant with their new laws. Australian organisations, somewhat less, although it could be argued that compliance with Australia's laws would be easier. But is that really the case?
Australia's Privacy Act says that the steps taken to protect personal information must be "reasonable in the circumstances", but there haven't been enough real-world cases to understand what that might mean.
Well how about the standard set by the Australian Signals Directorate (ASD) with its Essential Eight Strategies to Mitigate Cyber Security Incidents, released in February?
"The eight mitigation strategies with an 'essential' effectiveness rating are so effective at mitigating targeted cyber intrusions and ransomware, that ASD considers them to be the cyber security baseline for all organisations," the ASD wrote.
The Essential Eight includes measures that we know many organisations don't implement: application whitelisting; getting rid of Adobe Flash; installing ad blockers; disabling untrusted Microsoft Office macros; multi-factor authentication; or even securely-stored daily backups.
If experts like the ASD consider all these to be "baseline", wouldn't a lawyer argue that failing to implement the Essential Eight is failing to take "reasonable steps"? I guess it depends on "the circumstances", right?
I've previously written that once we seen the first data breaches being disclosed, the lawyers will follow. What I didn't consider was the insurance industry.
Cyber insurance is already the fastest-growing sector of the insurance market, according to Nick Abrahams, a partner with law firm Norton Rose Fulbright, and their APAC technology practice leader. Counter-intuitively, better insurance cover means that the lawyers are far more likely to swoop in for the kill.
"We know that the class-action law firms are looking at cyber as their next big opportunity," Abrahams told the the InnovationAus.com conference Cyber Security -- the Leadership Imperative 2017 in Sydney last week.
"If there's 100,000 people impacted [by a data breach], or a million people, and they can all be awarded $1000 or $2000, that's a class action," he said."
"The US has a massive amount of class actions in relation to privacy breaches, and the reason those class actions occur is because people know that there is insurance there to back it up," Abrahams said. He expects a "steep rise" in litigation.
While it's fast-growing, the cyber insurance industry is "quite immature", especially in Australia, and "all the policies are completely different", according to Andrew Bycroft, chief executive officer of The Security Artist.
"It's not even like comparing apples and oranges, it's like comparing apples and dogs," Bycroft told the same conference.
"A lot of the insurers are actually taking on a lot of unnecessary risk. For example, they wouldn't provide home and contents insurance for people who have houses with no doors, but what I've seen them doing is actually offering policies to organisations which are pretty poor in terms of their resilience capabilities."
Bycroft says that insurers might want to work with potential customers to improve their security posture before selling them insurance.
Craig Davies, chief executive officer of the new Australian Cyber Security Growth Network (ACSGN), wasn't exactly thrilled with that suggestion.
"A marketplace driven by insurers can only be fantastic," Davies told the conference, to nervous audience laughter. "If I had no ethics I'd certainly invest in buying insurance and selling insurance for cyber right now. You could make a fortune."
Yes, there's plenty of money to be made, by insurers, by lawyers, and by the cybersecurity industry that cleans up the mess. Or, ideally, fixes things before there's a mess to clean up.
Somewhere in there, we might even manage to better protect people's personal information.