Managing Cyber Risk

Schools hold lots of personal, private and potentially highly sought after information. As the leader of your school, you have significant obligations to properly manage and protect this information under the Privacy Principles, discussed in a previous issue.

Whilst it is important to be aware of your obligations under the Privacy Act and other relevant legislation, it is more important to ensure you have practical strategies in place to respond to any unpleasant circumstances when your cyber security is breached.

What is cyber security?

Cyber security refers to the security and protections afforded to the information stored on your network. The relevant data may include family names, addresses and phone numbers, credit card details, and birth certificates or religious certificates.

Data may be stored digitally or on paper but the focus of this BLP Brief is on information stored on networks, laptops, USB, hard drives, printers, scanners, databases and so on.

Cyber security breaches are on the rise. Private education sector is the fourth biggest victim of data breaches.

What is cyber breach?

A cyber breach occurs where sensitive, protected or confidential data is or has been potentially viewed, stolen or used by an unauthorised person.

How do attacks occur?

There are various ways breaches can occur including:

1. Malicious attacks – when a ‘hacker’ breaches security with the intention of stealing private information.

2. Targeted phishing attacks – when seemingly harmless links in an email or ‘pop up’ are followed but those links are in fact malicious and infect or ‘steal’ data.

3. Negligence/mistake of employees or contractors – where devices are lost or stolen, information is accidentally or unintentionally disclosed or forwarded.

4. Technological glitches – where a device was not a secure as intended, or if a device was improperly cleared or destroyed.

EXAMPLE
Nagle Catholic College WA
June 2019

The Nagle Catholic College case highlights not only the vulnerability of schools to cyber attacks, but the value in responding immediately and proactively to a cyber breach event.

This incident involved a malicious phishing attack on Nagle Catholic College. The attack was based in a malicious link innocently opened by one of the school’s staff members. The link was in fact a virus and obtained financial information of parents including bank account information, credit card details and associated parent signatures.

Fortunately, the Principal of the College handled the issue incredibly well. The breach was immediately reported to both the diocesan office and also to the affected or potentially affected parents. The Principal took immediate action to investigate and stop the breach and limited its impact on the school community.

Why should you be aware of this?

Aside from the obvious and previously legal obligations, including reporting breaches where necessary, you must also be aware of and consider the financial implications and potential reputation damage that may flow from a data breach incident. Serious data breaches and incorrectly managed responses to breaches can seriously damage the school’s brand and trustworthiness. Failure to act can also attract fines by the Commissioner.

When do you need to report a breach?

According to the Commonwealth Privacy Amendment Act, a breach must be reported when you have reasonable grounds to believe there is an “eligible data breach” – a breach that is “likely to cause serious harm”.

The Victorian equivalent Act does not require mandatory reporting. You should seek legal advice if you are unsure of the application of the relevant legislation to your school.

Reporting may be to affected individuals directly, those who are at serious risk or by a general statement on your website or other media platform.

NOTE: Importantly, if prompt and effective action is taken that means that the breach is not likely to result in serious harm, you may not need to report the breach. Accordingly, it is crucial that your school maintains an appropriate and effective Incident Response Plan.

Overall recommendations

Steps to minimise risk and protect a school from data breaches can include, among other things:

Undertaking a risk assessment – be aware of the data you hold, the potential risks and the consequences of a breach.
Policies – develop policies that reduce the risk of breaches and ensure you monitor and review these.
Training – ensure staff are aware of security risks including phishing emails
Security – implement technologies to secure information
Be careful when entering into contracts – it is imperative to conduct due diligence when contracting for IT security services. BLP recommend seeking legal advice to review all third party contracts, including these for IT, before entering into those contracts.

Practical strategies

Never respond to blackmail
Respond as immediately as possible
Have an action plan. An Incident Response Plan is critical to manage and mitigate any harm from a cyber breach
Communicate with, and keep updating, affected parties and be clear on what you know, what you don’t know
Seek advice as soon as possible
Self report if necessary

How can Brennan Law Partners assist?

Brennan Law Partners can assist you to be proactive in protecting against cyber breaches. Contact us to review your policies and procedures to ensure they are effective and up to date and let us know immediately if you are hesitant about appropriate steps to take in a given situation.

Most importantly, ensure your staff are trained and up to date with latest cyber scams. It is internal mistakes that often compromise the security of internal data. If you would like Brennan Law Partners to present a training seminar to you and your staff about cyber security at your school, please book here.

If you have any questions regarding any information in this BLP Brief, we welcome you to contact us at any time.

This is meant as a guide only and should not be taken as legal advice.