The cost to organisations of data breaches are set to rise as the government flags increased penalties for breaches and law firms prepare for a precedent-setting privacy class action against Optus.
CRN spoke to Avocado Consulting, StickmanCyber and DVULN on how the ripple effects of Australia’s biggest data breach could effect managed security services providers.
How increased penalties affect risk assessment and stakeholder communication
MSSPs said a rise in the financial damage a cyber attack can wreck could lead to more quantitative risk assessments, organisations allowing MSSPs more scope to secure their whole attack surface, and the reputational damage extending from the client to the MSSP.
Avocado Consulting cyber security practice lead David Vohradsky said increased costs for data breaches would accelerate “demand for a quantitative threat and risk assessment”.
“Costs will rise because of the Optus breach and as part of our risk assessments, we are focused on quantifying them and the potential for much higher costs from a large-scale breach.
“Increased penalties for data breaches appear to be a certainty with Cyber Security Minister O’Neil indicating the government’s urgent desire to align our legislation and level of penalties to the rest of the world.”
In Australia, the penalties for breaches are capped at $2.2 million under the Privacy Act, whereas European regulators can fine companies €20 million (A$29.8 million) or four percent of global revenue for non-compliance with customer privacy laws.
Attorney General Mark Dreyfus has said the current review of the Privacy Act could be fast-tracked to introduce tougher penalties for breaches by the end of the year.
Vohradsky said this would see security advisors adopting financial metrics that resonated with stakeholders.
“Cyber security leaders need to be able to articulate the threat and risk in business terms quantifying the metrics to present a ROI that the business leaders can understand and then support the mitigation actions needed.”
DVULN CEO Jamieson O'Reilly said if the Optus hack results in organisations paying higher costs for breachers they might listen more to their security providers and let them have a broader scope to strengthen vulnerabilities across their entire attack surface.
“Sometimes a security provider will alert an organisation to a vulnerability and they will say things like ‘this is a development server, I don’t need to secure it because it’s less likely to have customer data than a production server.’ However, there may be consequences of not securing a development server as well; it could be used to pivot to the production server for instance.”
Noting that it was not clear whether any MSSP had any responsibility for preventing the Optus hack, O'Reilly said that if the financial costs to clients increased, the reputational costs to their MSSPs could also increase.
“I think it puts focus on our security brand and the reputation of security service providers,” he added.
“If you think about the organisations that were breached in the last 24 months you could probably name them off the top of your head, but now tell me which MSSP each one of those companies were using? You probably couldn't say even one.
“This could lead to breaches having more of an impact on the brand of the MSSP who was responsible for preventing the breach, and that could create a better quality of service because it'd be much more accountability from both sides."
How would class actions affect MSSPs?
Only a few class actions have been filed in Australia in response to data breaches and only one has been won, but a class action on the scale of a breach involving 9.8 million customers could set a significant precedent.
The MSSPs said class actions, like increased penalties for breaches, could alter how they assess, quantify and communicate risk to their clients, and that it was possible but unlikely the costs of class actions would be worn by clients’ security providers.
“There is the possibility for organisations that fall victim to cyber-attacks to cross-litigate against their cyber-security advisers. However, liability will depend on many factors including the scope of the engagement and the circumstances involved in the breach,” Vohradsky said.
StickmanCyber chief executive officer Ajay Unni said, “a class action is normally towards a large enterprise with a significant number of affected customers, but the impact of it can sometimes flow onto third-party providers such as MSSPs and MSPs who support that large enterprise.”
“The larger enterprise may choose to start legal proceedings with their own third parties as part of the class action on them if the presumed issue flows down to them.”
“I have seen many instances of these, not just class actions, but service providers paying penalties to large enterprise customers - separate and additional to any legal actions - to maintain the client relationship.”
Slater and Gordon have said thousands of Optus customers have registered interest in filing a class-action. Maurice Blackburn is also considering filing a class action; it already has one against the telco over a 2019 breach involving 50,000 Optus customers.
Optus-owner Singtel has said, “any class action will be vigorously defended if commenced”.
Vohradsky said, “the experience we see in the US is that class actions generally tend to succeed if they can demonstrate repeated breaches or a systemic lack of care.”
The feasibility of demonstrating that Optus's negligence caused the exfiltration may become clearer at the conclusion of Deloitte’s audit of the breach. Optus has called it a “sophisticated attack” while some researchers have argued that the attacker “accessed an unauthenticated API endpoint.”
“Organisations in these situations come out with whatever information is at hand to show their eagerness and commitment to being open and transparent and often end up sharing incomplete or unvalidated information that comes back to bite them at a later date,” said Unni.
Australia is second only to the US as the most attractive jurisdiction to file class actions because of our plaintiff-friendly laws, according to Allens. There have been 421 class actions in the last decade.
The closest precedent to the class action Maurice Blackburn and Slater and Gordon are considering was a 2019 case that Centennial Lawyers won on behalf of ambulance workers whose data was stolen by one of their employer’s contractors.
The NSW Health Department was ordered to pay 108 of its employees $275,000 in compensation in 2019. The NSW supreme court found that the agency failed to prevent the theft of the ambulance workers’ data, which the contractor sold to a personal injury lawyer.
Centennial Lawyers are also investigating filing a class action against NDIS client management system provider CTARS over a security breach that exposed NDIS participants’ health data.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
