Cyber breaches: are you prepared? Presented by Michael Gapes, Partner
Overview What is cyber crime? What are the risks and impacts to your business if you are a target? What are your responsibilities do you have to protect a patient s personal and health information? How can you protect your organisation from a cyber breach? What are the insurance solutions available to transfer the risk? www.carternewell.com 2
So what is cyber crime? When an individual s or an organisation s electronic data is subject to loss or unauthorised access, use, disclosure, copying or modification. There are different types of cyber crime including: Unauthorised access or hacking; Malware; and Denial of service attacks. These types of attacks are criminal offences under the Criminal Code Act 1995 (Cth), as well as state and territory laws. If you are attacked, report it to the Police and ACORN. www.acorn.gov.au Cyber breaches can also arise due to employee negligence or poorly managed data sharing and monitoring practices. Can also arise due to malicious acts of employees and former employees. www.carternewell.com 3
Some statistics for you Cybercrime costs the Australian economy over $2 billion annually. 5.4 million Australians were victims of cyber crime in 2012. 693,000 businesses experienced a cyber crime in 2014. Recent studies have revealed that up to 70% of all targeted companies are small businesses. The average cost to a business who has been subjected to a cyber breach was $2.64 million. Post-cyber breach costs on average were $640,000 in 2016 (includes remediation activities, legal costs, regulatory interventions etc.). Cyber breaches cost companies an average $142 per record compromised in 2016. 60% of companies will go out of business within one year of a cyber breach. 85% of customers who had their personal data compromised will not deal with the offending organisation again. Source: Ponemon Institute Research Report www.carternewell.com 4
Some statistics from the healthcare industry There has been a 600% (yes, 600%) increase in cyber attacks on healthcare organisations since 2014. The healthcare industry has 4 times the number of security breaches than other industries. The industry is 3 times more likely to encounter data theft. Patient information is 10 times more valuable than other data on the black market. www.carternewell.com 5
Some household names here Woolworths iinet Aussietravel cover UQ David Jones K-Mart Aussie Farmers Patagonia Clothing Company QLD Tafe Bureau of Meteorology The Federal Department of Employment West Australian Parliament www.carternewell.com 6
www.carternewell.com 7
Some industry specific examples Miami Family Medical Centre A ransomware attack. Russian hackers demanded a ransom of $4000 to decrypt information on the practice s server. www.carternewell.com 8
Some industry specific examples (cont d) Royal Melbourne Hospital (2015) A virus attack affected the hospital s Windows XP operating system. Subsequently discovered that it has some serious security faults which have allowed hackers to take control of the system remotely. The virus impacted the Pathology and Radiology Departments. It was reported that the hospital was forced to send its major trauma patients to other hospitals. Luxottica Retail Australia (2015) Test results and contact details of hundreds of Australian Defence personnel inadvertently sent to China. www.carternewell.com 9
So what are the impacts to your business? Business interruption Damage to network and system Investigation and compliance costs Loss of revenue Loss of clients (liability to 3 rd parties less easy to predict) Reputational and brand damage Regulatory investigations Fines and penalties Civil claims www.carternewell.com 10
What are your responsibilities regarding personal and health information? The Privacy Act 1998 (Cth) regulates the handling of personal information (including health information) about individuals. The Act applies to all private sector health service providers. (state and territory public hospitals and health services are not covered under the Act, but may be covered by state or territory legislation). Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable. Health information is information about an individual s health or disability, as well as any other personal information collected while an individual is receiving a health service. www.carternewell.com 11
The Privacy Act 1998 (Cth) In March 2014, a unified set of Australian Privacy Principles (APPs) that apply to all Commonwealth Government agencies and all businesses with annual turnovers >$3 million. There are 13 APPs which cover everything from the use and collection of personal information, to data security, data quality and access rights. APP 11 Security of Personal Information: An APP entity that holds personal information must take reasonable steps to protect the information from misuse, interference and loss, as well as unauthorised access, modification or disclosure. An APP entity must take reasonable steps to destroy or de-identify the personal information it holds once the personal information is no longer needed for any purpose for which the personal information may be used or disclosed under the APPs. Reasonable steps consider the nature and amount of personal information held. www.carternewell.com 12
Breaches of the APPs A breach of an APP will be an interference with privacy under the Act. The Australian Information Commissioner has the power to investigate possible interferences with privacy, either following a complaint by an individual or on his own initiative. The Commissioner has a wide range of enforcement powers, including enforceable undertakings, determinations and can seek civil penalties of up to $340,000 against individuals and up to $1.7 million against corporations. See www.oaic.gov.au www.carternewell.com 13
Future developments? Mandatory notification of security breaches for organisations with turnovers > $3 million: Notifying the Australian Information Commission of serious data breaches ; Notifying affected individuals. A new tort of privacy. www.carternewell.com 14
How can you protect your organisation from a cyber breach? Manage the risk: Understand the nature of the data you hold, assess whether it is accessible by third parties and identify the risks that this data faces from a cyber attack. Have an IT Response Plan: see the OAIC website for an example. www.oaic.govt.au Have a Crisis Management Response Plan: to assist you in dealing with clients, regulators, the media and third parties. www.carternewell.com 15
How can you protect your organisation from a cyber breach? (cont d) www.cert.gov.au Implement effective risk management strategies, procedures and protocols to protect the data, including: Keep your software up-to-date; Install reputable security software, which includes a firewall, anti-virus and antispyware applications; Develop a backup strategy for your data; Change all default passwords across all operating systems; Create non-administrator level accounts; Adopt safe online practices, including have an Acceptable Use Policy; Secure any remote access services and implement a BYOD policy; Protect critical information by using encryption; Obtain data breach and cyber liability insurance. Train your staff in these strategies, procedures and protocols www.carternewell.com 16
Data breach and cyber liability insurance Many traditional liability insurance policies such as Management Liability or Professional Indemnity policies won t cover many of the data breaches and cyber crime risks faced by day hospitals. For instance, these policies won t cover losses arising out of: Your IT network being hacked and you are locked out of your network Your patient data has been stolen, leaked or held to ransom You are being investigated by the OAIC So a standalone data breach and cyber liability policy is the best way to combat these risks and potential liabilities. www.carternewell.com 17
What is a data breach and cyber liability policy and what does it cover? A good policy will cover a range of potential exposures, including: Personal and corporate data liability Will pay damages and defence costs for a data breach involving personal or corporate information Outsourcing exposures Data security liability Forensic services Will pay damages and defence costs for a data breach arising out of the outsourcing of the collection, storage or processing of any data. Will pay damages in the event of physical theft of hardware, data, contamination, denial of access or corruption of data. Will meet costs of IT experts retained to remediate any damage due to breach. www.carternewell.com 18
What is a data breach and cyber liability policy and what does it cover? (cont d) Defence costs Fines and penalties Notification and monitoring costs Reputation repair Cyber extortion Media content Network interruption Will pay costs incurred in defending any civil claims or costs involved in responding to any official investigations (for examples, by the OAIC). Will pay any insurable fines and penalties imposed by a government or regulatory authority. If affected individuals need to be notified or monitoring put in place for mitigation purposes. Will meet costs of a PR company being engaged to mitigate damage sustained to company or individual. Will pay any cyber extortion loss (for example, a ransom) to end a security threat (subject to local laws etc). Will pay damages in the event of a breach of copyright, IP, plagiarism, piracy, invasion of privacy etc. Will pay income losses suffered as a result of a security failure or breach. www.carternewell.com 19
What is a data breach and cyber liability policy and what does it cover? (cont d) A good data breach and cyber liability policy will offer a wide range of cover, with appropriate limits of indemnity. The cost of these policies is extremely modest. It is highly recommended that all healthcare sector participants obtain appropriate data breach and cyber liability insurance. Call Mediprotect on 1800 177 163 or visit www.mediprotect.com.au. www.carternewell.com 20
Questions and Resources Useful resources: www.oaic.gov.au www.acorn.gov.au www.cert.gov.au www.mediprotect.com.au www.carternewell.com 21