PAW 2020: 'Reboot Your Privacy' by improving email data handling practices

This week is Privacy Awareness Week, an annual initiative run by the Office of the Australian Information Commissioner (OAIC). The theme, "Reboot Your Privacy", challenges organisations to "Ctrl+Alt+Delete" their approach to privacy. The timing is apt given the heightened data risk associated with businesses operating online due to COVID-19.

In this article, we explore how organisations can manage privacy, data security and regulatory risk in respect of their email data handling practices – which is high on the OAIC's regulatory enforcement agenda.

Privacy Awareness Week – time to Reboot Your Privacy

Privacy Awareness Week (PAW) runs from 4-10 May 2020, and is an opportunity for the Office of the Australian Information Commissioner (OAIC) to raise awareness of current privacy and cybersecurity issues amongst the community. It is also an opportunity for the OAIC to emphasise best practice data handling requirements to meet community expectations about respecting and protecting personal information.

This year, the OAIC is challenging organisations to implement strategies to respond to the current COVID-19 situation, by implementing key principles of good privacy practice as follows:

• CTRL – putting the right security controls in place to protect data. This draws on existing requirements to take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, unauthorised modification and unauthorised disclosure.
• ALT – consider the privacy risks and come up with alternatives to limit data risk. The OAIC has re-emphasised the need to conduct privacy impact assessments (PIA) before embarking on data projects, and has provided a useful resource for organisations looking to complete a PIA.
• DELETE – collect only what is necessary and delete or de-identify information if it is no longer required for a legal purpose. This draws on existing requirements to take reasonable steps to destroy or de-identify personal information if it is no longer needed.

Above all, the OAIC is warning organisations to be transparent in how personal information is handled and give people choice wherever possible about the collection and use of their data.

More information about PAW including OAIC resources is available here. Resources are also available to individuals and families to allow them to take their own action to protect their online data interactions during the current environment.

In practice, the OAIC is tasking organisations to take stock of and strengthen their information handling practices, especially as organisations continue to operate in an increasingly digital environment post-pandemic.

We discuss below the OAIC's current approach to email data handling practices (which is high on the agenda), and set out how organisations can 'reboot their privacy' to reduce their overall risk in respect of email usage.

Email Data Handling Practices – high on the OAIC's regulatory agenda

In line with this year's PAW theme, we have recently observed the OAIC's regulatory activity focus on organisations' data governance practices, particularly in respect of the use of email applications and services to store and transmit significant quantities of data.

On Friday 28 February 2020, the OAIC released its latest biannual Notifiable Data Breaches Report,^[1] in which the OAIC provided statistical information on the Eligible Data Breaches reported during the period July to December 2019. 

In the report, notably, the OAIC zoned in on business email compromise incidents (i.e. mailbox breaches) and entities using mailboxes for primary storage of information. Relevantly, the OAIC noted that:

• the compromise of account credentials via phishing emails remains one of the most common causes of data breaches (15% of total incidents) followed by compromised or stolen credentials (14% of total incidents) – accounting for a combined 29% of total incidents;
• in a number of reported incidents, the malicious actor gained access to thousands (and in some cases tens of thousands) of stored emails;
• the affected mailboxes frequently contained large volumes of personal information, including sensitive information such as financial and bank account details, tax file numbers, and health information;
• access to the mailboxes were exploited in two ways:
  • conducting further phishing campaigns or business email compromise attacks against individuals or businesses; and
  • exploiting personal information contained within the account for targeted spear phishing attacks against specific individuals or to carry out identity fraud;
• the large volume of personal information stored in one place made it significantly easier for malicious actors to gain access to information for criminal gain;
• the malicious actor need not gain access to an entity's wider network or servers as information is directly accessible from the mailbox; and
• often forensic investigations are hampered by the lack of audit and access logging making it difficult to determine the full extent of compromised information.

Separately, in the report the OAIC took aim at the means by which entities transmit personal information, with a particular focus on email transmission of personal information. Relevantly, the OAIC made the following observations:

• the use of email for the transmission of personal information carries risk (10% of all incidents notified resulted from personal information being emailed to the wrong person);
• this is particularly the case when email is used for the transmission of sensitive personal information which could lead to a risk of serious harm if disclosed to the wrong individual;
• all entities who handle, store, or transmit sensitive personal information should consider how to protect personal information during every stage of its life cycle, including by considering whether it is necessary to transmit personal information in order to carry out their functions or activities;
• entities are responsible for planning how to handle personal information by embedding privacy protections into the design of information handling practices; and
• relevant to reducing the impact of business email compromise incidents, this may include:
  • deleting emails containing personal or sensitive information from both the inbox and sent box;
  • storing relevant documents in a secure document management system; and
  • password protecting or encrypting documents containing sensitive information which are sent via email.

As evident from the above, the OAIC is now firmly focussing its attention on business email compromise incidents in particular. This is because of the sheer frequency with which these incidents are impacting Australian businesses and the significant impact that such incidents can have on individuals whose personal information is contained within mailboxes.

Against this background, we set out below a roadmap for how organisations can improve email data handling practices.

Rebooting privacy through improved email data handling practices

In an ever increasingly digitally connected world, and with the growing trend of agile and remote working, over the past 15 years there has been a significant increase in use of email services to transmit and store data in the course of doing business.

This increase has been facilitated by the trend over the past 5-10 years to outsource data handling to third party cloud service providers, the increased use of smart phones and other BYOD devices by employees to remotely access workplace assets, and the reduction in data storage costs on cloud based email services.

While there are many benefits to this way of working, there are also increased data security, privacy and cyber-crime risks to manage through the use of email services. Relevant to email data handling practices, under the Privacy Act 1988 (Cth) (Privacy Act), organisations have two key obligations:

• APP11.1 – taking reasonable steps to safeguard personal information; and
• APP11.2 – taking reasonable steps to destroy/de-identify personal information once the personal information is no longer needed.

While the term 'reasonable' is undefined in the Privacy Act, practically speaking, as part of taking 'reasonable steps' to protect personal information, the OAIC requires entities to consider how personal information will be protected at all stages of the information lifecycle. This should be considered before an entity collects personal information (including asking whether it should collect the information at all), as well as when the information is collected and held, and when it is destroyed or de‑identified when no longer needed.

In line with privacy best practice requirements under Australian Privacy Principles 11.1 and 11.2, the OAIC's firm expectation is that organisations are considering what 'best practice' looks like relevant to their circumstances, to:

• prevent incidents from occurring – by implementing current best practice identity management and data security controls (such as strong password protections, two factor authentication, audit logging, geo-blocking and data encryption); and
• address underlying risk factors that increase the severity of an incident should it occur (such as establishing data retention, deletion and de-identification practices to reduce overall data risk in respect of personal information present in mailboxes, and accessible through email applications).

When reporting an Eligible Data Breach through to the OAIC arising out of a business email compromise incident, although the OAIC will typically be interested in understanding how the incident occur (to assess any noncompliance with APP11.1), the OAIC will typically focus on the underlying data handling practices of the impacted entity relating to the use and storage of emails (to assess any noncompliance with APP11.2).

Organisations will need to be prepared to justify their positon to the OAIC by demonstrating that they have proactively taken steps to address these requirements in advance of an incident occurring to mitigate the overall data risk exposure.

Next steps

As organisations adapt to operating in an increasingly digital business environment post-pandemic, when addressing data governance requirements relating to email usage they must ensure that data minimisation and security is a central part of 'the new normal'.

Given that PAW 2020 is about 'rebooting privacy', we encourage all organisations to challenge the myth that all email data is required for all time, and delete data that is no longer required. After all, if data does not exist, it cannot be misused.

To achieve this, organisations should engage in a data mapping exercise, identifying the types of data that they hold, what the statutory retention requirements are in respect of the types of data, and where applicable, take steps to delete or de-identify data no longer in use.

Where data remains in use, organisations should ensure that appropriate steps are being taken to securely share and store sensitive personal information, including through secure file sharing applications (as opposed to emails) which can limit risk if secure access controls are properly implemented and data is encrypted.

In terms of email usage specifically, organisations should consider adopting journaling and archiving strategies as a way of tracking and then removing emails from mailboxes to limit the potential for misuse should that mailbox be compromised. Care should also be taken to ensure that email security controls are properly implemented by external IT / managed service providers responsible for establishing email environments.   

Talk to us if you would like to discuss our Data Governance and Retention Readiness package to help address the above concerns, as well as our Vendor Compliance package to ensure that appropriate data security and privacy terms are in place with third party providers.

How can we help?

Clyde & Co has the largest dedicated and rapidly expanding cyber incident response practice in Australia and New Zealand. Our experienced team have dealt with over 700 data breach and technology related disputes in recent times, including a number of the largest and most complex incidents in Asia Pacific to date.

From pre-incident readiness, breach response, through to defence of regulatory investigations and proceedings, as well as recovery actions against wrongdoers, we assist clients in Asia Pacific across the full cyber lifecycle. Our team is also highly regarded for their expertise and experience in managing all forms of disputes across sectors including advising on some of the most newsworthy class actions commenced in Australia.

Our 24 hour cyber incident response hotline or email allows you to access our team directly around the clock. For more information, contact us on:

• Australia: + 61 2 9210 4464
• New Zealand: 0800 527 508
• cyberbreach@clydeco.com

^[1]https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-report-july-december-2019/.