Playing dumb no longer an option against ransomware reporting
Australia's privacy regulator has had enough.
In its latest Notifiable Data Breaches Report, the Office of the Australian Information Commissioner (OAIC) called out entities who were playing fast and loose when defining which breaches were subject to disclosure.
These comments foreshadowed the release of the Federal Government's Ransomware Action Plan, which introduces a mandatory ransomware incident reporting regime for businesses.
The warning concerned several ransomware incidents where organisations did not report the attack because they had self-assessed it did not rise to a ‘notifiable breach'.
In making the determination, the OAIC said these organisations had relied on a ‘lack of evidence' that exfiltration or access had occurred.
In a remarkably blunt statement of guidance, the OAIC summed up its advice for enterprises considering not reporting a ransomware attack in the future:
“It is insufficient for an entity to rely on the absence of evidence of access to, or exfiltration of, data to conclusively determine that an eligible data breach has not occurred.
The reasoning behind this is quite simple. Ransomware has been through a well-documented evolution where the M.O. is no longer just locking up data but also stealing it and threatening to release it if ransom demands aren't met.
In other words, these non-reporting entities who had been through a ransomware attack and could not prove whether or not sensitive data had been accessed were placing their trust in the criminals who had attacked them. They trusted the attackers had ‘only' encrypted their data as they lacked the evidence to show it had also been exfiltrated.
While acknowledging the traditional difficulty in assessing such attacks, Angelene Falk, Australian Information and Privacy Commissioner, reminded organisations subject to the Privacy Act of their obligations.
“We expect entities to have appropriate internal practices, procedures and systems in place to assess and respond to data breaches involving ransomware, including a clear understanding of how and where personal information is stored across their network,” she said.
The line in the sand couldn't be clearer.
Ignorance will no longer be an option for organisations that choose not to report ransomware attacks. They will need the receipts to back up claims that personal information was not accessed or exfiltrated.
The Ransomware Action Plan drives home the point. While the new mandatory ransomware reporting regime is a welcome step, businesses need to know what they're reporting – particularly whether sensitive data has been accessed.
Given the massive amounts of data enterprises hold today, and the sheer breadth of the ecosystems hosting them, it might seem like an impossible task to definitively prove what data was accessed and by whom.
Automated data governance platforms greatly simplify this task and help minimise the risk of sensitive data exposure in the first place.
One of the biggest data governance challenges enterprises face is they struggle to understand what data they have, where it is, and if it contains sensitive information. Data governance platforms can scan an entire ecosystem and use predefined policies to identify where sensitive data resides and ensure it is always stored appropriately.
Following an attack, these same platforms can then automate self-assessment so organisations can quickly identify whether any sensitive data was exposed or exfiltrated.
Armed with this knowledge, enterprises can rapidly inform impacted customers so steps can be taken to avoid further harm, and regulators can be notified with a complete understanding of the scope, scale, and severity of the breach.
While loopholes like the grey area in whether a breach is notifiable or not might have offered some enterprises comfort in the past, the OAIC's latest report and Australia's new Ransomware Action Plan make it clear these are closing — and they're closing fast.