Presented by

Michael Gapes, Partner

Cyber breaches: are you prepared?

www.carternewell.com © Carter Newell 2016– 2 –

www.carternewell.com © Carter Newell 2016– 3 –

Overview

What is cyber crime?

What are the risks and impacts to your

business if you are a target?

What are your responsibilities do you

have to protect a patient’s personal and

health information?

How can you protect your organisation from

a cyber breach?

What are the insurance solutions available to transfer

the risk?

www.carternewell.com © Carter Newell 2016– 4 –

So what is cyber crime?

When an individual’s or an organisation’s electronic data is subject

to loss or unauthorised access, use, disclosure, copying or

modification.

There are different types of cyber crime including:

Unauthorised access or hacking;

Malware; and

Denial of service attacks.

These types of attacks are criminal offences under the Criminal

Code Act 1995 (Cth), as well as state and territory laws.

Cyber breaches can also arise due to employee negligence or

poorly managed data sharing and monitoring practices.

Can also arise due to malicious acts of employees and former

employees.

www.carternewell.com © Carter Newell 2016– 5 –

The causes of cyber breaches

Malicious or criminal attacks are the primary causes of cyber

breaches

46%

27%

27% Malicious or criminal attack

System glitch

Human error

www.carternewell.com © Carter Newell 2016– 6 –

Some statistics for you…

Cybercrime costs the Australian economy over $2 billion annually.

5.4 million Australians were victims of cyber crime in 2012.

693,000 businesses experienced a cyber crime in 2014.

Recent studies have revealed that up to 70% of all targeted companies are

small businesses.

The average cost to a business who has been subjected to a cyber breach was

$2.64 million.

Post-cyber breach costs on average were $640,000 in 2016 (includes

remediation activities, legal costs, regulatory interventions etc.).

Cyber breaches cost companies an average $142 per record compromised in

2016.

60% of companies will go out of business within one year of a cyber breach.

85% of customers who had their personal data compromised will not deal with

the offending organisation again.

Source: Ponemon Institute Research Report

www.carternewell.com © Carter Newell 2016– 7 –

Some statistics from the

healthcare industry…

There has been a 600% (yes, 600%) increase in cyber attacks on

healthcare organisations since 2014.

The healthcare industry has 4 times the number of security

breaches than other industries.

The industry is 3 times more likely to encounter data theft.

Patient information is 10 times more valuable than other data on the

black market.

www.carternewell.com © Carter Newell 2016– 8 –

Some household names here

Woolworths

iiNet

Aussietravel cover

UQ

David Jones

K-Mart

Aussie Farmers

Patagonia Clothing Company

QLD Tafe

Bureau of Meteorology

The Federal Department of

Employment

West Australian Parliament

www.carternewell.com © Carter Newell 2016– 9 –

Some industry specific

examples

Miami Family Medical Centre

A ransomware attack.

Russian hackers demanded a ransom of $4000 to decrypt information

on the practice’s server.

www.carternewell.com © Carter Newell 2016– 10 –

Some industry specific

examples (cont’d)

Royal Melbourne Hospital (2015)

A virus attack affected the hospital’s Windows XP operating system.

Subsequently discovered that it has some serious security faults which

have allowed hackers to take control of the system remotely.

The virus impacted the Pathology and Radiology Departments.

It was reported that the hospital was forced to send its major trauma

patients to other hospitals.

Luxottica Retail Australia (2015)

Test results and contact details of hundreds of Australian Defence

personnel inadvertently sent to China.

www.carternewell.com © Carter Newell 2016– 11 –

So what are the impacts to your

business?

Business interruption

Damage to network and system

Investigation and compliance costs

Loss of revenue

Loss of clients (liability to 3rd parties less easy to predict)

Reputational and brand damage

Regulatory investigations

Fines and penalties

Civil claims

www.carternewell.com © Carter Newell 2016– 12 –

What are your responsibilities

regarding personal and health

information?

The Privacy Act 1998 (Cth) regulates the handling of personal information

(including health information) about individuals.

The Act applies to all private sector health service providers.

(state and territory public hospitals and health services are not covered under the Act, but may

be covered by state or territory legislation).

‘Personal information’ is information or an opinion about an identified

individual, or an individual who is reasonably identifiable.

‘Health information’ is information about an individual’s health or disability,

as well as any other personal information collected while an individual is

receiving a health service.

www.carternewell.com © Carter Newell 2016– 13 –

The Privacy Act 1998 (Cth)

In March 2014, a unified set of Australian Privacy Principles (APPs)

that apply to all Commonwealth Government agencies and all

businesses with annual turnovers >$3 million.

There are 13 APPs which cover everything from the use and

collection of personal information, to data security, data quality and

access rights.

APP 11 – Security of Personal Information:

An APP entity that holds personal information must take reasonable steps to

protect the information from misuse, interference and loss, as well as

unauthorised access, modification or disclosure.

An APP entity must take reasonable steps to destroy or de-identify the personal

information it holds once the personal information is no longer needed for any

purpose for which the personal information may be used or disclosed under the

APPs.

Reasonable steps – consider the nature and amount of personal information

held.

www.carternewell.com © Carter Newell 2016– 14 –

Breaches of the APPs

A breach of an APP will be an ‘interference with privacy’ under the

Act.

The Australian Information Commissioner has the power to

investigate possible interferences with privacy, either following a

complaint by an individual or on his own initiative.

The Commissioner has a wide range of enforcement powers,

including enforceable undertakings, determinations and can seek

civil penalties of up to $340,000 against individuals and up to $1.7

million against corporations.

See www.oaic.gov.au

www.carternewell.com © Carter Newell 2016– 15 –

Future developments?

Mandatory notification of security

breaches for organisations with

turnovers > $3 million:

Notifying the Australian Information

Commission of ‘serious data

breaches’;

Notifying affected individuals.

A new tort of privacy.

www.carternewell.com © Carter Newell 2016– 16 –

How can you protect your organisation

from a cyber breach?

Manage the risk: Understand the nature of the data you hold,

assess whether it is accessible by third parties and identify the risks

that this data faces from a cyber attack.

Have an IT Response Plan: see the OAIC website for an example.

www.oaic.govt.au

Have a Crisis Management Response Plan: to assist you in

dealing with clients, regulators, the media and third parties.

If you are attacked, report it to the Police and ACORN.

www.acorn.gov.au

www.carternewell.com © Carter Newell 2016– 17 –

How can you protect your organisation

from a cyber breach? (cont’d)

www.cert.gov.au

Implement effective risk management strategies, procedures and

protocols to protect the data, including:

Keep your software up-to-date;

Install reputable security software, which includes a firewall, anti-virus and anti-

spyware applications;

Develop a backup strategy for your data;

Change all default passwords across all operating systems;

Create non-administrator level accounts;

Adopt safe online practices, including have an Acceptable Use Policy;

Secure any remote access services and implement a BYOD policy;

Protect critical information by using encryption;

Obtain data breach and cyber liability insurance.

Train your staff in these strategies, procedures and protocols

www.carternewell.com © Carter Newell 2016– 18 –

Data breach and cyber liability

insurance

Many traditional liability insurance policies such as Management

Liability or Professional Indemnity policies won’t cover many of the

data breaches and cyber crime risks faced by day hospitals.

For instance, these policies won’t cover losses arising out of:

So a standalone data breach and cyber liability policy is the best

way to combat these risks and potential liabilities.

Your IT network being hacked and you are locked out

of your network

Your patient data has been stolen, leaked or held to

ransom

You are being investigated by

the OAIC

www.carternewell.com © Carter Newell 2016– 19 –

What is a data breach and cyber

liability policy and what does it cover?

A good policy will cover a range of potential exposures, including:

Personal and corporate data liability Will pay damages and defence costs for a

data breach involving personal or corporate

information

Outsourcing exposures Will pay damages and defence costs for a data

breach arising out of the outsourcing of the

collection, storage or processing of any data.

Data security liability Will pay damages in the event of physical theft of

hardware, data, contamination, denial of access

or corruption of data.

Forensic services Will meet costs of IT experts retained to

remediate any damage due to breach.

www.carternewell.com © Carter Newell 2016– 20 –

What is a data breach and cyber liability

policy and what does it cover? (cont’d)

Defence costs Will pay costs incurred in defending any civil claims or costs

involved in responding to any official investigations (for examples,

by the OAIC).

Fines and penalties Will pay any insurable fines and penalties imposed by a government or

regulatory authority.

Notification and

monitoring costs

If affected individuals need to be notified or monitoring put in place for

mitigation purposes.

Reputation repair Will meet costs of a PR company being engaged to mitigate damage

sustained to company or individual.

Cyber extortion Will pay any cyber extortion loss (for example, a ransom) to end a security

threat (subject to local laws etc).

Media content Will pay damages in the event of a breach of copyright, IP, plagiarism,

piracy, invasion of privacy etc.

Network interruption Will pay income losses suffered as a result of a security failure or breach.

www.carternewell.com © Carter Newell 2016– 21 –

What is a data breach and cyber liability

policy and what does it cover? (cont’d)

It is highly recommended that all healthcare sector participants obtains appropriate data breach and cyber liability insurance .

The cost of these policies is extremely modest.

A good data breach and cyber liability policy will offer a wide range of cover, with appropriate limits of indemnity.

www.carternewell.com © Carter Newell 2016– 22 –

Questions and Resources

Useful resources:

www.oaic.gov.au

www.acorn.gov.au

www.cert.gov.au

Brisbane

Level 13, 215 Adelaide Street

Brisbane QLD Australia 4000

GPO Box 2232

Brisbane QLD 4001

Phone +61 7 3000 8300

Email cn@carternewell.com

Sydney

Level 6, 60 Pitt Street

Sydney NSW Australia 2000

Phone +61 2 8315 2700

Melbourne

280 Queen Street

Melbourne VIC Australia 3000

(Via Agency)

www.carternewell.com