Managing Online Risk: Data Breaches and Social Slander

Managing Online Risk: Data Breaches and Social Slander
Slide Note
Embed
Share

Information on data breaches, managing online risk, and social slander. Topics include data protection, breach notifications, practical tips, and more.

  • Data Breaches
  • Online Risk
  • Privacy
  • Social Media
  • Cybersecurity
jaer187
jaer187 Follow

Uploaded on Mar 19, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Data Breaches and Social Slander How to manage online risk Peter Moran Principal Norton Gledhill Ian Bloomfield Managing Director Ignite Systems www.ignite.com.au

  2. Overview What is data? What about meta-data? What is a data breach & how can it happen? Mandatory Data Retention Privacy and Mandatory Data Breach Notifications The Cloud Practical tips for avoiding a Data Breach Practical tips for handling a Data Breach Social Media Slander and Reputational Risk How to manage online risk | 9 March 2017 | Page 3

  3. What is data? Information converted into a digital form. Most regimes relating to data protection are referring to identifying information, confidential information, sensitive information, personal information. Concepts of personal information should be well understood in the context of the Privacy Act regime: information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not. How to manage online risk | 9 March 2017 | Page 4

  4. What is data? health (including predictive genetic information) racial or ethnic origin political opinions membership of a political association, professional or trade association or trade union religious beliefs or affiliations philosophical beliefs sexual orientation or practices criminal record biometric information that is to be used for certain purposes biometric templates. "sensitive information" which is a type of personal information that discloses information about an individual's: A breach relating to sensitive information may be more likely to give rise to substantial harm to an individual than other types of personal information. How to manage online risk | 9 March 2017 | Page 5

  5. What about meta-data? https://www.youtube.com/watch?v=XZTiN778B-c Data about data How to manage online risk | 9 March 2017 | Page 6

  6. What is a data breach? OAIC Data Breach Notification: A guide to handling personal information security breaches Data breach means when personal information held by an agency or organisation is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference http://www.oaic.gov.au/privacy/privacy-resources/privacy-guides/data-breach-notification-a-guide-to-handling- personal-information-security-breaches How to manage online risk | 9 March 2017 | Page 7

  7. What is a data breach? Privacy Amendment (Notifiable Data Breaches) Bill 2016 - Explanatory Memorandum A data breach arises where there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals (the affected individuals), or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure. https://www.legislation.gov.au/Details/C2016B00173/Explanatory%20Memorandum/Text How to manage online risk | 9 March 2017 | Page 8

  8. How can it happen? In November 2016, a Fairfax Media investigation revealed that overseas companies are selling the personal data of Optus, Telstra and Vodafone customers to anyone willing to pay. The data was reportedly leaked by corrupt call centre workers. In October 2016, the Australian Red Cross announced that it had become aware that a file containing over 550,000 Australian donors personal information had been made publicly accessible. In September 2016, University of Melbourne academics notified the Health Department that they were able to decrypt some service provider ID numbers in the publicly available Medicare 10 per cent dataset. Personal information caught in the breach included sexual risk questions. The Department of Health immediately removed the dataset from the website and the Australian Information and Privacy Commission launched an investigation into the leak. In response, the Australian Information and Privacy Commissioner said he would be in touch with the three telcos to remind them of their obligations and to consider his options. The cause of the breach was a third party organisation which develops and manages the Red Cross s website. How to manage online risk | 9 March 2017 | Page 9

  9. How can it happen? Unintentional Lost device storing data; laptop, tablet, mobile phone, portable storage device. Disposal equipment or return of leased equipment containing digital storage media without the contents first being erased; computer hard drives, storage integrated in devices, such as multifunction printers. Mistakenly providing personal information to the wrong person e.g. sending to the wrong email address How to manage online risk | 9 March 2017 | Page 10

  10. How can it happen? Illegal activity external actor Stolen device storing data; computer of any sort (home desktop), mobile phone, portable storage device. Files containing personal information being hacked' or otherwise illegally accessed. An individual deceiving an agency or organisation into improperly releasing the personal information of another person. How to manage online risk | 9 March 2017 | Page 11

  11. How can it happen? Illegal activity internal actor Employees accessing or disclosing personal information outside the requirements or authorisation of their employment. Taking personal information home on a computer or removable media Emailing personal information Posting personal information on social media How to manage online risk | 9 March 2017 | Page 12

  12. How can it happen? In May 2016 an article in Law360 reported on a study that found employees are the number-one contributor to private data breach incidents, with over half of companies surveyed reporting they have experienced a security incident because of a malicious or negligent employee. https://www.law360.com/articles/799293/employee-slip-ups-underlie-most-data-breaches-study-says How to manage online risk | 9 March 2017 | Page 13

  13. Mandatory Data Retention The Telecommunications (Interception and Access) Act 1979 requires telecommunications companies to retain a particular set of telecommunications data for at least two years. Applies to "any person who supplies, or proposes to supply, an internet carriage service to the public potentially broader than the traditional notion of an ISP. limited range of data to be retained, which is information about a communication, but not the content or substance of a communication. For phone calls, data is information such as the phone numbers of the people talking to each other and how long they talked to each other for not what they said. For email activity, data is information such as relevant email addresses and when it was sent not the subject line of the email or its content. How to manage online risk | 9 March 2017 | Page 14

  14. Mandatory Data Retention April 2017 deadline for ISPs to have data retention processes in place. Social Media is excluded from regime. Regime greatly extended by the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015. Very controversial and coined as a "data tax . How to manage online risk | 9 March 2017 | Page 15

  15. Data Retention What is and isnt included? What isn t included? The status of a mobile device, for example, if it is lost, stolen or on roaming. Web browsing history. The location of the device at the beginning and the end of the phone call. The body or text of SMS messages. forwarding. The body and subject lines of emails. The unique identifier number assigned to a particular mobile phone device. Internet (if these services are provided by an Australian operator) Files attached to emails including photos or documents. The audio of phone conversations. Email address. The audio recordings of online or social media chats. Information about what features were used on any particular call such as call waiting or call Continuous location tracking via mobile devices. The time, date, size and recipients of emails. What will be kept for a minimum of two years? The file type and size of any attachments sent or received with emails. Online chat time, date and the identity of those on the chat. Details about internet usage including how much bandwidth the internet service provides. Phone calls How many uploads/downloads made and the size of each one. Incoming caller identification. Details about what technology enabled each communication i.e. ADSL, wifi, cable internet. Outgoing caller identification. Account details held by the ISP or telco provider; including when the account was activated or suspended. The time, date and duration of the phone call. How to manage online risk | 9 March 2017 | Page 16

  16. Mandatory Data Retention- Problems to Consider The regime is complex and difficult to interpret even for specialists in the telecommunications sector. How will the Internet of Things interact with the regime (eg how will data be collected)? What about all the data generated in Australia not held by Australian ISPs (eg google, gmail, skype etc) When in doubt, ISPs will over-retain data. Possibility of meta-data being used in civil cases. How to manage online risk | 9 March 2017 | Page 17

  17. Mandatory Data Breach Notification Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) Amends the Privacy Act 1988 to require agencies, organisations and certain other entities to provide notice to the Australian Information Commissioner and affected individuals of an eligible data breach. Will commence sometime between now and February 2018. Applies to organisations already subject to the Privacy Act (ie turnover in excess of $3 million). Makes mandatory what many organisations have started to do voluntarily (eg Australian Red Cross). How to manage online risk | 9 March 2017 | Page 18

  18. Mandatory Data Breach Notification A data breach is unauthorised access to or disclosure of personal information, including the loss of personal information that is likely to give rise to unauthorised access or unauthorised disclosure. It is an "eligible data breach" if a reasonable person would conclude that there is a likely risk of serious harm to any of the affected individuals. Serious harm includes serious physical, psychological, emotional, economic and financial harm as well as serious harm to reputation. If an entity suspects an eligible data breach has occurred, it must undertake an assessment of the relevant circumstances. If there is a data breach and action is taken and there is no unauthorised access to or unauthorised disclosure of personal information or no serious harm, then not an eligible breach. How to manage online risk | 9 March 2017 | Page 19

  19. Privacy Australian Privacy Principles If revenue over $3 million. APP 11: must take reasonable steps to protect personal information from misuse, interference and loss and from unauthorised access, modification or disclosure. APP 12: must provide access to a person's personal information upon request of that person. APP 8: If disclosed to an overseas organisation, can be responsible for the use of the information by the organisation. How to manage online risk | 9 March 2017 | Page 20

  20. Privacy What is disclosure? Not defined in Privacy Act. APP Guidelines say that an APP Entity discloses personal information when it makes it accessible to others outside the entity and releases the subsequent handling of the personal information from its effective control (B.64). Disclosure is to be contrasted with use . See 8.14 of APP Guidelines: For example, where an APP Entity provides personal information to a cloud service provider located overseas for the limited purpose of performing the services of storing and ensuring the entity may access the personal information, this may be a use provided: 1. there is a binding contract between the parties for the information to handled only for these limited purposes; 2. the contract requires subcontractors to agree to the same obligations; and 3. the contract gives the entity effective control of how the information is handled. How to manage online risk | 9 March 2017 | Page 21

  21. What is the cloud? The provision of Information Technology infrastructure as a service rather than as a product ie you share someone else s infrastructure rather than have your own. Outsourcing and renting back IT infrastructure Three core types of services: 1. Software as a Service (SaaS) 2. Infrastructure as a Service (IaaS) 3. Platform as a Service (PaaS) Also, training-as-a-service, service-as-a-service, Disaster- recovery-as-as-service How to manage online risk | 9 March 2017 | Page 22

  22. Cloud Services ASD [Australian Signals Directorate] strongly encourages agencies to choose either a locally-owned vendor or a foreign- owned vendor that is located in Australia and stores, processes and manages sensitive data only within Australian borders. Note that foreign-owned vendors operating in Australia may be subject to foreign laws such as a foreign government s lawful access to data held by the vendor. Cloud Computing Security Considerations ASD Discussion Paper http://www.asd.gov.au/publications/protect/cloud_computing_secu rity_considerations.htm How to manage online risk | 9 March 2017 | Page 23

  23. Cloud Services tips and tricks 1. Use a structure process when selecting cloud services in particular reviewing the provider s terms of service, privacy policy, security policy, data retention policy etc. 2. Investigate whether your cloud service provider is compliant with relevant industry standards (see, for example, www.legalcloudcomputingassociation.org) 3. Ensure contracts clearly define performance obligations, including support response times and a clear method for measuring performance. 4. Ensure an exit procedure is settled, including providing for the service provider encountering an insolvency event. 6. How to manage online risk | 9 March 2017 | Page 24

  24. Cloud Services tips and tricks 5. Investigate whether your service provider uses data encryption. 6. Ensure that your cloud services provider warrants that all data will be held within Australian data centres. 7. Negotiate a dispute resolution procedure with the cloud service provider, in particular as regards access to data during a dispute, such as using a data escrow agent. How to manage online risk | 9 March 2017 | Page 25

  25. Practical Tips for Avoiding a Data Breach Data governance Risk assessment Policies Processes and procedures Accountabilities Handling of data Storage of data Access to data How to manage online risk | 9 March 2017 | Page26

  26. Practical Tips for Avoiding a Data Breach Data audit What Personal Information is collected? How is the Personal Information collected? How is the Personal Information processed? Where is the Personal Information stored? Who has access to the Personal Information? How to manage online risk | 9 March 2017 | Page27

  27. Practical Tips for Avoiding a Data Breach Cyber Security - Email (sending) Don t email Personal Information unless essential Don t use personal email accounts Confirm legitimacy of the recipient before sending Use email encryption if an option How to manage online risk | 9 March 2017 | Page28

  28. Practical Tips for Avoiding a Data Breach Cyber Security - Email (receiving) Don t click on links in emails Never open an email attachment unless you are expecting it, or you have confirmation from the sender about it s authenticity How to manage online risk | 9 March 2017 | Page29

  29. Practical Tips for Avoiding a Data Breach Cyber Security - Files Use encryption on laptop computers Do not store Personal Information on portable media Don t use personal cloud file storage like Dropbox and iCloud to store company files How to manage online risk | 9 March 2017 | Page30

  30. Practical Tips for Avoiding a Data Breach Cyber Security - Passwords Use strong passwords A different one for every account Change passwords regularly Better still, use multi-factor authentication How to manage online risk | 9 March 2017 | Page31

  31. Practical Tips for Avoiding a Data Breach Cyber Security - Social Media Risk of posting information that compromises your identity Social platforms used as a delivery mechanism for malware How to manage online risk | 9 March 2017 | Page32

  32. Practical Tips for Avoiding a Data Breach Training and awareness Is everyone aware of the company policies, processes and procedures, and their personal responsibilities? Access and handling of Personal Information Cyber security Social media usage How to manage online risk | 9 March 2017 | Page33

  33. Practical Tips for Handling a Data Breach OAIC Data Breach Notification: A guide to handling personal information security breaches Responding to data breaches: four key steps Step 1: Contain the breach and do a preliminary assessment Step 2: Evaluate the risks associated with the breach Step 3: Notification Step 4: Prevent future breaches http://www.oaic.gov.au/privacy/privacy-resources/privacy-guides/data-breach-notification-a-guide-to-handling- personal-information-security-breaches How to manage online risk | 9 March 2017 | Page34

  34. Practical Tips for Handling a Data Breach Be prepared Have a policy Have processes and procedures Treat a possible breach as a breach until proved not to be a breach Act quickly Follow-up on all breach incidents How to manage online risk | 9 March 2017 | Page35

  35. Social media slander and reputation breaches. 1. Madden v Seafolly [2014] FCAFC 30 The appellant, Ms Leah Madden, and the respondent, Seafolly Pty Ltd, were competitors in the ladies swimwear fashion industry. 2. Madden both asserted and implied that Seafolly had copied eight of her swimwear designs. The assertions were made on Ms Madden s personal Facebook page, her business Facebook page and in emails to media outlets. 3. Madden s assertions stemmed from the fact that an individual named Ms McLaren had met with her on behalf of a swimwear retailer. Ms McLaren viewed a number of designs and took photos of those designs. Madden later learned that Ms McLaren also worked for Seafolly. 4. Unfortunately for Madden, six of the relevant Seafolly designs were released to the market prior to her meeting with Ms McLaren and the other two were substantially developed at the time. The court held that Seafolly did not copy Madden s designs. 5. At first instance, the primary judge found that Madden had engaged in conduct that was misleading or deceptive in contravention of section 52 of the Trade Practices Act 1974(Cth) (TPA) (now section 18 of schedule 2 of the Competition and Consumer Act 2010 (Cth)). His Honour held, however, that Seafolly hadn t suffered any damages as regards its profitability but awarded $25,000 under section 82 for damage to its reputation, the damage being neither significant nor ongoing. 6. Madden cross-claimed against Seafolly, submitting that it had defamed her and engaged in misleading or deceptive conduct by publishing its two press releases. The primary judge found the publications to be defamatory but upheld Seafolly s defences of justification and qualified privilege. For similar reasons, the primary judge also held that Madden s misleading or deceptive conduct claim failed. How to manage online risk | 9 March 2017 | Page 36

  36. Social media and reputation breaches findings from Madden appeal Statements made on a personal Facebook page could be made in trade or commerce. An allegation of copying or plagiarism may be held to be a statement of fact, not an opinion. Recklessly made statements of opinion can still be misleading. A defamatory response to a defamatory statement must be proportional. How to manage online risk | 9 March 2017 | Page 37

  37. Social media slander and reputation breaches. The Madden decision provides some salutary lessons about the use of social media by businesses. In particular: always check the accuracy of facts and assertions before publishing those facts or expressing opinions about those facts, particularly where such facts or opinions are directly or indirectly critical or derogatory of third parties; be careful in only expressing opinions when making critical comments about businesses on personal social media pages (ie expressions of fact may be misleading or defamatory); and when responding, in a public way, to comments made by a third party which are asserted as being false, ensure the response is proportionate and does not itself make false assertions. How to manage online risk | 9 March 2017 | Page 38

  38. Resources Privacy Amendment (Notifiable Data Breaches) Bill 2016 - Explanatory Memorandum https://www.legislation.gov.au/Details/C2016B00173/Explanatory%20Memorandum/Text The Australian Privacy Principles guidelines https://www.oaic.gov.au/privacy/applying-privacy-law/app-guidelines OAIC Data Breach Notification: A guide to handling personal information security breaches http://www.oaic.gov.au/privacy/privacy-resources/privacy-guides/data-breach-notification-a-guide-to- handling-personal-information-security-breaches Cyber Precedent: An information campaign by the Law Council of Australia to assist the legal profession defend itself against growing cyber threats http://lawcouncil.asn.au/lawcouncil/cyber-precedent-home StaySmartOnline: Australian Government's online safety and security website https://www.staysmartonline.gov.au Identity security: Information on the Attorney-General's Department website https://www.ag.gov.au/identitysecurity Security Tips for the Use of Social Media: Australian Signals Directorate information https://www.asd.gov.au/publications/protect/security_tips_for_using_social_media_websites.htm How to manage online risk | 9 March 2017 | Page 39

Related


How to Protect Your On-Demand App from Cyberattacks and Data Breaches

How to Protect Your On-Demand App from Cyberattacks and Data Breaches

Seema
Risk Management in Environmental Geography and Disaster Management

Risk Management in Environmental Geography and Disaster Management

duke
Privacy Breach Management Guide by Health PEI

Privacy Breach Management Guide by Health PEI

zack
Cyber Data Breach Review_ A Comprehensive Insight with LDM Global in the USA

Cyber Data Breach Review_ A Comprehensive Insight with LDM Global in the USA

LdM
Country Risk Analysis in International Business

Country Risk Analysis in International Business

aramis
Project Risk Management Fundamentals: A Comprehensive Overview

Project Risk Management Fundamentals: A Comprehensive Overview

franky
Lessons from Recent Data Breaches: Insights and Strategies

Lessons from Recent Data Breaches: Insights and Strategies

keyaan
Ransomware and Data Breaches in Public Libraries Analysis

Ransomware and Data Breaches in Public Libraries Analysis

cinder
Enhancing University Information and Records Management for Strategic Advancement

Enhancing University Information and Records Management for Strategic Advancement

tove
Special Audit Report on Caribbean Maritime University (CMU) - December 2019

Special Audit Report on Caribbean Maritime University (CMU) - December 2019

everest
Response Patterns to Data Breaches in Firm IT Investment

Response Patterns to Data Breaches in Firm IT Investment

alyssa
Essential Steps for Personal Data Breach Management

Essential Steps for Personal Data Breach Management

alayah
Privacy Breach Response and Reporting under the Health Information Act

Privacy Breach Response and Reporting under the Health Information Act

renn_yl
Importance of Privacy & Data Security Training in Healthcare

Importance of Privacy & Data Security Training in Healthcare

tach645
HIPAA and Research Data Security Training for Researchers at BU Charles River Campus

HIPAA and Research Data Security Training for Researchers at BU Charles River Campus

ayahn
NHS Sussex Conflicts of Interest Breach Register Summary May 2024

NHS Sussex Conflicts of Interest Breach Register Summary May 2024

nave_633
Risk Concepts and Management Strategies in Finance

Risk Concepts and Management Strategies in Finance

ybre
Risk and Return Assessment in Financial Management

Risk and Return Assessment in Financial Management

chey888
Risk Management & MPTF Portfolio Analysis at Programme Level for UN Somalia

Risk Management & MPTF Portfolio Analysis at Programme Level for UN Somalia

jud_l
Managing Project Risk to Reduce Construction Claims

Managing Project Risk to Reduce Construction Claims

sharpton_m
VAST: A Unified Platform for Interactive Network Forensics

VAST: A Unified Platform for Interactive Network Forensics

itff298
Data Breaches and Privacy Concerns: An Overview

Data Breaches and Privacy Concerns: An Overview

mide463

More Related Content