AISA SUBMISSION

Response to the Office of the Australian Information Commissioner’s Consultation paper: Mandatory data breach notification in the eHealth record system

September 25, 2012

The Australian Information Security Association

The Australian Information Security Association (AISA) is an Australian representative industry body for the information security profession. Formed in 1999, AISA is focused on individual professional membership with a current membership of 1600 security specialists. AISA aims to foster and promote the development of information security professionals and the security of the ICT industry.

Our broad membership base consists of information security professionals from all industries including education, finance, government, healthcare, manufacturing, mining, oil and gas, transportation, and utilities. Our members range from company directors and managers, lawyers, risk professionals, architects, highly skilled technical security specialists, professors and researchers.

AISA Recommendations

Comments in Response to Consultation paper: Mandatory data breach notification in the eHealth record system

We note the following stimulus questions posed in the Consultation Paper:

  • Substance: The OAIC's data breach notification guide is intended to set out entities' reporting obligations under the PCEHR Act. Will the draft guide assist entities to meet their obligations? Are there any ways the guide could better assist entities to meet their obligations?
  • Substance: Are there any other factors, not covered in the guide, which entities should consider when taking steps to respond to a data breach? (see ‘Responding to a notifiable data breach')
  • Substance: Is the language used in the guide sufficiently clear and informative for the target audience? If not, how could the language be improved?
  • Format: Is the guide structured in a clear manner which is informative for the target audience? If not, how could the structure be improved?
  • Education: Are there any other ways the OAIC could help entities meet their data breach notification reporting obligations under the PCEHR Act?

General

As a general comment, AISA supports the issuance of Guides by the OAIC. They provide invaluable assistance to organisations in attempting to determine how best to meet their obligations. As well, they contribute to the transparency of the compliance expectations of the OAIC.

AISA also supports the introduction of more general mandatory data breach notification laws and is interested in ensuring the effective operation of these provisions as part of the regulatory response to the increasing problem of data breaches. A recommendation to this effect was included in the AISA Submission to the Prime Minister and Cabinet’s Cyber Whitepaper. This recommendation was based on findings from our survey of our membership conducted in October 2011 with 215 respondents. These findings, which were later ratified at the AISA National Conference on 9th November, 2011 by its 700 attendees, include the following:

  • 77% agreed that Australia needs wider data protection laws, with 87% agreeing that there is not appropriate accountability for the impacts of security breaches
  • A majority of respondents had experienced inadequate reporting of security incidents, with only 5% agreeing that current Government and law enforcement statistics were accurate. This corresponds with 45% of respondents reporting that the occurrence of security breaches and associated costs within their organisations were kept secret.

Substance

AISA supports the intent and content of the Guide, particularly to the extent that is reflects and is consistent with the OAIC's voluntary data breach notification guide:A guide to handling personal information security breaches.

As a general comment, although AISA appreciates the focus of this Guide is to provide more detail on the appropriate notification process, it would be useful if that notification process also referenced a broader incident response plan, that included other considerations that may arise in the context of a data breach.

Information security practitioners use a Security Incident Response process which typically includes the following steps:[1]

  • Make an initial assessment.
  • Communicate the incident.
  • Contain the damage and minimize the risk.
  • Identify the type and severity of the compromise.
  • Protect evidence.
  • Notify external agencies if appropriate.
  • Recover systems.
  • Compile and organize incident documentation.
  • Assess incident damage and cost.
  • Review the response and update policies.

The steps are not necessarily sequential and can run in parallel. They are also often iterative. There may be a number of iterations of the containment, identification and recovery steps as the investigation and remediation work continues and the extent of the incident and its impact becomes clearer. It would be useful if the Guide could provide some guidance on the point at which the first notification should be made and how future notifications might occur as details of the event become better understood and further clarity about the incident can be provided.

The Guide refers to the requirement to provide notice “as soon as practicable”. This is a problematic provision for our members, as it involves weighing up concerns such as thoroughly investigating and containing the incident against the need to allow affected consumers the opportunity to protect themselves. It would be useful if more assistance was provided to clarify what this might entail. Examples, such as the Sony/Qricotiy breach notification delay, could be provided.

We note The Guide provides a list of information that should be included in the notice, including

  • a description of the breach outlining the unauthorised collection, use, disclosure or threat to the security or integrity of the eHealth record system
  • the type of personal information involved
  • how many individuals were or may have been affected
  • when the breach occurred
  • what caused the breach
  • whether the breach was accidental or deliberate or still being resolved
  • when and how the entity became aware of the breach
  • steps taken to contain the breach, a risk evaluation and detail about actions taken (or proposed) to prevent recurrence
  • steps that were already in place to prevent the breach
  • any other entities involved
  • whether the SO/OAIC has also been notified
  • the name and contact details of an appropriate contact person within the entity.

The collation of this data will take some considerable time and resources and may conflict with the idea that notification be given “as soon as practicable.” It could be useful to provide information about a staged notification process, particularly in regard to high risk breaches.

Other suggestions:

  • A diagram or process chart showing the different reporting obligations of private, State and Federal RR0s, RPOs and SOs.
  • The process includes as Step 1 taking immediate steps to contain the breach. This may not be the most appropriate course of action in all cases – particularly if the incident involves criminal behaviour and law enforcement are involved in the collection of appropriate evidence.
  • We query the inclusion of Step 4 of the requirement to establish a management team and fully investigate the breach. This could be seen as in conflict with Step 1 where a person or team is designated to coordinate the response. It would be more helpful to distinguish the roles of the different teams, and to make some suggestions about team members that should be considered, for example, the Privacy Officer and Legal Counsel.

Format

It would be helpful if the Guide included more diagrams of the reporting obligations.

Further examples of the application of some of the more difficult concepts would be of use, such as the evaluation of risks associated with the breach.

The description of the steps – under the heading “Responding to a notifiable data breach” – could be moved to a more prominent place in the Guide,

It would also be good if it included links to other resources, to assist in the data response and notification processes including:

  1. Standards for the management of Technical Evidence
  2. Standards Australia Handbook – Guidelines for the management of IT evidence (HB 171)
  3. United States National Institute of Science and Technology, Special Publications:
  4. Guide to Integrating Forensic Techniques into Incident Response (SP800-86)
  5. Computer Security Incident Handling Guide (SP800-61)

Education

AISA would be happy to host an information session for its members regarding the Guide and reporting obligations.

AISA would also be happy to include information about the Guide on its website.

Contacts and Further Information

Gary Gaskell

AISA Policy Sub Committee Chair

[redacted]

Phone [redacted]

Benn Dullard

AISA National Director

[redacted]

Phone [redacted]

Page 1

AISA Cyber Whitepaper Submission

[1] See, for example,