Enterprise risk maturity no excuse

“Cyber security is now, and always has been, purely a response to risk”¹.  Some Queensland Law Society (QLS) members reading this article will have been personally impacted by the significant cyber failures across the last 12 months. 

Additionally, some QLS members may be advisors to enterprises who have not recognised their dependence on technology and data and have fallen short of the standard of risk management demanded by regulators and society.

Cyber-security laggards are coming to the attention of regulators.  In ASIC v RI Advice Pty Ltd [2022] FCA 496, RI Advice admitted that it took too long to implement and ensure improved measures were adopted and Justin Helen Rofe observed: “Risk relating to cybersecurity and the controls that can be deployed to address such risks evolve over time… It is not possible to reduce cybersecurity risk to zero, but it is possible to materially reduce cybersecurity risk through adequate cybersecurity documentation and controls to an acceptable level.”

Pacific Lutheran College (Privacy) [2023] AICmr 98, handed down on 24 October 2023, provides significant guidance for enterprises, and a timely reminder of charities and not-for-profits, their boards and management teams, and their advisors. 

Facts of the case

Pacific Lutheran College (PLC) is an independent private school on the Sunshine Coast which also operated an early learning centre and outside school hours care service.  PLC is a body corporate and a registered ACNC charity that was found to have breached the Privacy Act.  In 2019 it had revenue of over $19.7 million.  PLC had two previous notifiable data breaches during the period from June 2019 to May 2020.  PLC was subsequently subject to a data breach through a compromised email account that contained about 180,000 emails.

The chronology of events was:

Advertisement

• 28 May 2020: the email account of a manager was subject to unauthorised access by an unidentified third party;
• 8332 phishing emails were sent to contacts of the email account;
• 29 May 2020: PLC became aware of the incident and all staff were notified;
• 16 June 2020: a forensic investigator was engaged to prepare a report about the incident; 
• 28 August 2020: the forensic report was completed and a data review began;
• 29 September 2020: the data review was completed;
• 14 October 2020: PLC concluded that an eligible data breach (EDB) may have occurred with 367 individuals at risk of serious harm;
• 15 December 2020: PLC notified the Office of the Australian Information Commissioner (OAIC) of the data breach; and
• 10 August 2021: the OAIC began an investigation under s40(2) of the Privacy Act.

Enterprises must meet assessment timelines

Under s 26WH(2) of the Privacy Act there is an obligation to conduct and complete an assessment within 30 days after the entity becomes aware of an EDB. PLC must have had some basis in fact to form a suspicion that an EDB had occurred but did not need to be aware of facts sufficient to form a belief.²

The OAIC concluded that a reasonable person in the position of PLC would form a suspicion that some level of unauthorised access or disclosure had taken place.  The identified email account held financial details, tax file numbers, identity information and contact information.

PLC argued that it was not the usual practice for this type of information to be stored in the email account, and that its usual practice was to store this information in secure onsite server. Further, PLC argued that it did not form a suspicion that an EDB had taken place until 2 September 2020.

The OAIC did not consider that the additional certainty provided by the forensic investigation report was necessary to meet the threshold of suspicion, and PLC’s knowledge as at 29 May 2020 was sufficient to give rise to a reasonable suspicion that an EDB may have occurred.

The OAIC found that PLC did not take all reasonable steps to complete its assessment within 30 days of becoming aware of reasonable grounds to suspect. PLC extracted the contents of the compromised email account within two days of the incident, but no further steps were taken in the first 30 days to analyse the contents for personal information.

OAIC findings set assessment expectations

The OAIC noted that PLC could have taken the following steps to ensure the assessment was completed within 30 days (at [87]):

Advertisement

• clearly communicating that the assessment was required to be completed within 30 days;
• prioritising this matter above other routine decisions;
• assigning a person to be accountable for the timely completion of the assessment;
• ensuring the assessment included analysis of the suspected compromised personal information, not just an investigation of the unauthorised access;
• monitoring progress of the assessment and investigation; and
• planning effectively, including by having a data breach response plan in place.

Privacy Principle 11.1 requires reasonable steps to protect personal information from misuse, interference and loss

PLC argued that it had steps in place to protect personal information from interference, unauthorised access and unauthorised disclosure, including from phishing attacks.

The OAIC pointed to two previous notifiable data breaches at PLC that resulted in two third party reports that included ICT-related recommendations including password complexity and rotation, the use of multi-factor or second-factor login identification and a program of staff training to boost ‘cyber awareness’.

OAIC sets out expectations as to Privacy Principle 11.1 compliance

The OAIC noted that:

• PLC did not employ a specific staff member whose role included the responsibility of ensuring privacy culture and governance. Merely having policies was not enough;
• PLC’s privacy policies did not include governance or lines of authority for decisions regarding personal information;
• PLC ought to have had steps in place to ensure privacy focus and awareness, governance and accountability;
• The policies did not provide a basis for any meaningful awareness, governance or accountability in relation to the handling of sensitive information;
• Little, if any, cyber risk or privacy training was provided to PLC staff prior to the incident;
• The user of the compromised email account did not follow PLC’s usual practice of removing personal information from the email account.

The OAIC noted PLC should have taken the following steps (at [174]):

• member/s of staff should have been responsible for personal information security;
• privacy training should have been provided for all staff;
• documented privacy practices, procedures and systems, should have been implemented;
• adequate password security, including complexity and expiration should have been implemented; and
• multifactor authentication ought to have been effectively implemented.

OAIC findings set cybersecurity expectations

PLC orders included (at [190]) preparation of an incident response plan and an information security program. 

The Court gave the following guidance as to what should be set out in the documents:

Advertisement

• an incident response plan that contains, at a minimum:
• a clear explanation of what constitutes a data breach;
• an overview of the roles and responsibilities of personnel when there is a data breach, or suspected data breach;
• clear guidance as to the capacity to investigate a suspected data breach, and the circumstances in which an external provider should be engaged;
• details of the insurance coverage, including the extent of the coverage and the contact details of the insurer;
• a process for engaging an external provider to investigate a suspected data breach where necessary, including details of the information that should be given to the provider;
• clear advice about the need for an investigation to be conducted expeditiously, and for all reasonable steps to be taken to conclude an investigation within 30 days; and
• a communication strategy that allows for notification of data breaches, where required by the Privacy Act.
• an information security program that will enable and ensure compliance with APP 11.1, and which, at a minimum:
• identifies risks to the security or integrity of personal information collected and/or held, that could result in misuse, interference or loss or unauthorised access, modification or disclosure of this information; 
• contains administrative, technical, and physical controls and procedures that are appropriate to the business;
• designates an employee/s to coordinate and be responsible for the information security program; and
• requires initial and regular refresher training.

Lessons from this case

When leaders aren’t proactive in managing risks, standards of conduct will be imposed upon them.  This case highlights the importance of understanding the fundamentals of an enterprises’ business activities and the expectations of managing the cybersecurity risks associated with those activities.

ACPNS case notes: This article is based on the case note prepared by Professor Emeritus Myles McGregor-Lowndes OAM, QLS Not for Profit Law Committee member. Myles researches charities and nonprofit cases worldwide and publishes key cases in an easy-to-digest format for lawyers through QUT Australian Centre Philanthropy and Nonprofit Studies.  Summaries are free to download and include significant nonprofit cases with links to full case summaries.  QLS Members are encouraged to subscribe to this free resource Legal Case Notes – Australian Centre for Philanthropy and Nonprofit Studies (qut.edu.au).

Footnotes
¹ James Turner, Australian Financial Review, 13 March 2018
² The facts which can reasonably ground a suspicion may be quite insufficient to reasonably ground a belief, yet some factual basis for the suspicion must be shown.