Let Cybersecurity Dive’s free newsletter keep you informed, straight from your inbox.
Global economic uncertainty hangs over everything like a dark cloud, which is triggering market volatility and risks across the cybersecurity sector too. “Cybersecurity is not immune to recessions — research indicates that cyberattacks increase during and following economic downturns,” the think tank said in the report. Key risk factors related to a potential recession include delayed innovation and inadequate budgets for long-term investments. Organizations have improved corporate governance in cybersecurity, but the headway has been modest at best, according to the Bipartisan Policy Center. Distance between security professionals and the C-suite on information flow and decision making, and a lack of technical expertise on boards of directors are compounding this risk and must be addressed. The think tank also called out vulnerable infrastructure, particularly third- and fourth-party vendors that may lack necessary cybersecurity controls, as a top risk for 2023. “Vulnerable software, operating systems, or other infrastructure almost always factor into consequential security incidents and data breaches,” the report said. “Keeping pace with patching and replacing end-of-life software and hardware is a major operational burden for organizations of all sizes. When this need is ignored, the cost, complexity and likelihood of incidents multiply over time,” the think tank warned in its report. Other top macro risks include overlapping and conflicting regulations, talent scarcity, geopolitical tension and an accelerating cyber arms race. The report pulled from a working group assembled to identify the top cybersecurity risks confronting all stakeholders. Members include current and former officials in state and federal government and executives from banking, cloud, communications, health, energy and other sectors. Get the free daily newsletter read by industry experts Enterprise cybersecurity is navigating market turmoil and vendor consolidation. Here’s what experts expect to happen to the industry in 2023. Chief Product Officer Josh Prewitt said the company restored email access to more than three-quarters of its Hosted Exchange customers. But Rackspace officials pushed back on alleged connections to ProxyNotShell. Subscribe to Cybersecurity Dive for top news, trends & analysis Get the free daily newsletter read by industry experts Enterprise cybersecurity is navigating market turmoil and vendor consolidation. Here’s what experts expect to happen to the industry in 2023. Chief Product Officer Josh Prewitt said the company restored email access to more than three-quarters of its Hosted Exchange customers. But Rackspace officials pushed back on alleged connections to ProxyNotShell. The free newsletter covering the top industry headlines
Organizations must be prepared to tackle cybersecurity threats. Image: Freepik.com Listen to the article
What is the World Economic Forum doing on cybersecurity? Create a free account and access your personalized content collection with our latest publications and analyses. License and Republishing World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use. The views expressed in this article are those of the author alone and not the World Economic Forum. A weekly update of the most important issues driving the global agenda
You can unsubscribe at any time using the link in our emails. For more details, review our
Keep abreast of significant corporate, financial and political developments around the world. Stay informed and spot emerging risks and opportunities with independent global reporting, expert commentary and analysis you can trust.
Then ₹4,190 per month
New customers only
Cancel anytime during your trial
During your trial you will have complete digital access to FT.com with everything in both of our Standard Digital and Premium Digital packages. Standard Digital includes access to a wealth of global news, analysis and expert opinion. Premium Digital includes access to our premier business column, Lex, as well as 15 curated newsletters covering key business themes with original, in-depth reporting. For a full comparison of Standard and Premium Digital, click here. Change the plan you will roll onto at any time during your trial by visiting the “Settings & Account” section. If you do nothing, you will be auto-enrolled in our premium digital monthly subscription plan and retain complete access for ₹4,190 per month. For cost savings, you can change your plan at any time online in the “Settings & Account” section. If you’d like to retain your premium access and save 20%, you can opt to pay annually at the end of the trial. You may also opt to downgrade to Standard Digital, a robust journalistic offering that fulfils many user’s needs. Compare Standard and Premium Digital here. Any changes made can be done at any time and will become effective at the end of the trial period, allowing you to retain full access for 4 weeks, even if you downgrade or cancel. You may change or cancel your subscription or trial at any time online. Simply log into Settings & Account and select “Cancel” on the right-hand side. You can still enjoy your subscription until the end of your current billing period. We support credit card, debit card and PayPal payments. Find the plan that suits you best. Premium access for businesses and educational institutions. Check if your university or organisation offers FT membership to read for free. We use cookies and other data for a number of reasons, such as keeping FT Sites reliable and secure, personalising content and ads, providing social media features and to analyse how our Sites are used. International Edition
The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance Posted By HIPAA Journal on Jan 24, 2023 For the first time since 2015, there was a year-over-year decline in the number of data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR), albeit only by 1.13% with 707 data breaches of 500 or more records reported. Even with that reduction, 2022 still ranked as the second-worst-ever year in terms of the number of reported breaches. As the year drew to an end, data breach numbers started to decline from a high of 75 data breaches in October. Time will tell whether this trend will continue in 2023, although the lull in data breaches appears to have continued so far this year with an atypically low number of breaches currently showing on the OCR data breach portal this month. In addition to the slight reduction in reported data breaches, there was also a drop in the number of breached records, which fell by 13.15% from 54.09 million records in 2021 to 51.9 million records in 2022. The theft of protected health information places patients and health plan members at risk of identity theft and fraud, but by far the biggest concern is the threat to patient safety. Cyberattacks on healthcare providers often cause IT system outages, which in many cases have lasted several weeks causing considerable disruption to patient care. While there have not been any known cases of cyberattacks directly causing fatalities, the lack of access to patient data causes diagnosis and treatment delays that affect patient outcomes. Multiple studies have identified an increase in mortality rates at hospitals following ransomware attacks and other major cyber incidents. Delivered via email so please ensure you enter your email address correctly. Your Privacy Respected HIPAA Journal Privacy Policy These cyberattacks and data breaches result in huge financial losses for healthcare organizations. The 2022 IBM cost of a data breach report indicates the average cost of a healthcare data breach increased to an all-time high of $10.1 million in 2023, although data breaches can be significantly more expensive. In addition to the considerable breach remediation costs, security must be improved, cyber insurance premiums increase, and it is now common for multiple class action lawsuits to be filed following data breaches. There is also a risk of financial penalties from regulators. The largest ever healthcare data breach, suffered by Anthem Inc in 2015, affected 78.8 million members and cost the health insurer around $230 million in clean-up costs, $115 million to settle the lawsuits, $39.5 million to settle the state attorneys general investigation, and $16 million to resolve the OCR investigation. Even much smaller data breaches can prove incredibly costly. Scripps Health suffered a data breach of 1.2 million records in 2021 due to a ransomware attack. The attack caused losses in excess of $113 million due to lost business ($92 million) and the clean-up costs ($21 million). There are also several lawsuits outstanding and there could be regulatory fines. There were 11 reported healthcare data breaches of more than 1 million records in 2022 and a further 14 data breaches of over 500,000 records. The majority of those breaches were hacking incidents, many of which involved ransomware or attempted extortion. Notable exceptions were several impermissible disclosure incidents that resulted from the use of pixels on websites. These third-party tracking technologies were added to websites to improve services and website functionality, but the data collected was inadvertently transmitted to third parties such as Meta and Google when users visited the websites while logged into their Google or Facebook accounts. The extent to which these tracking technologies have been used by healthcare organizations prompted OCR to issue guidance on these technologies, highlighting the considerable potential for HIPAA violations. While 2022 saw some very large data breaches reported, the majority of reported data breaches were relatively small. 81% of the year’s data breaches involved fewer than 50,000 records, and 58% involved between 500 and 999 records. Hacking incidents dominated the breach reports with 555 of the 707 reported breaches (71.4%) classified as hacking/IT incidents, which accounted for 84.6% of all breached records in 2022. The average breach size was 79,075 records and the median breach size was 8,871 records. It is important to note that while the number of healthcare data breaches declined slightly year-over-year, the number of hacking/IT incidents increased by 1.65% in 2022. Attacks are still increasing, but at a much lower rate than in the previous 3 years. There were 113 reported unauthorized access/disclosure breaches reported in 2022, accounting for 14.5% of the breached records. The average breach size was 66,610 records due to some large pixel-related data breaches, and the median breach size was 1,652 records. Unauthorized access/disclosure incidents have been decreasing since 2019. Theft (23 breaches) and loss (12 breaches) incidents were reported in relatively low numbers, continuing a downward trend from these once incredibly common data breaches. The downward trend is due to better control of devices and the use of encryption. The average breach size was 13,805 records and the median breach size was 1,704 records. There were four incidents involving the improper disposal of devices containing PHI and physical records. The average breach size was 1,772 records and the median was 1,021 records. The high number of hacking incidents is reflected in the chart below, which shows the location of breached protected health information. Compromised email accounts remain a major source of data breaches, highlighting the importance of multi-factor authentication and training employees on how to recognize the signs of phishing. The raw data on the OCR breach portal does not accurately reflect the extent to which business associate data breaches are occurring. When you factor in business associate involvement it is possible to gain a more accurate gauge of the extent to which data breaches are occurring at business associates. In 2022, 127 data breaches were self-reported by business associates, but there were 394 reported data breaches where business associates were involved – That’s a 337% increase since 2018. Last year, data breaches at business associates outnumbered data breaches at healthcare providers for the first time. Several major business associate data breaches were reported to OCR in 2022, with some of the data breaches affecting several hundred healthcare organizations. A data breach at the debt collections company, Professional Finance Company, affected 657 of its healthcare clients and involved more than 1.91 million healthcare records. Eye Care Leaders, a provider of electronic health records to eye care providers, suffered a cyberattack that affected at least 41 eye care providers and exposed the data of almost 3.65 million patients. The graph below shows the sharp increase in data breaches at business associates in recent years. There are several reasons for the increase. Hackers have realized the value of conducting attacks on business associates. One successful attack can provide access to the data, and sometimes networks, of all of the vendor’s clients. Healthcare organizations are now using more vendors to manage administrative functions and risk increases in line with the number of vendors. As more vendors are used, it becomes harder to monitor cybersecurity at the vendors. Managing third-party risk is one of the biggest challenges for healthcare organizations in 2023.
Healthcare data breaches were reported by HIPAA-regulated entities in 49 states, Washington D.C., and Puerto Rico in 2022. Alaska was the only state to survive the year with no reported data breaches. In general, the most populated states suffer the most data breaches. In 2022, the 10 most populated U.S. states all ranked in the top 15 worst affected states, although it was New York rather than California that topped the list with 68 reported breaches. HIPAA is primarily enforced by OCR, with state attorneys general also assisting with HIPAA enforcement. OCR imposed more financial penalties for HIPAA violations in 2022 than in any other year to date, with 22 investigations resulting in settlements or civil monetary penalties. OCR has limited resources for investigations but does investigate all breaches of 500 or more records. That task has become increasingly difficult due to the increase in data breaches, which have tripled since 2010. Despite the increase in data breaches, OCR’s budget for HIPAA enforcement has hardly increased at all, aside from adjustments for inflation. As of January 17, 2022, OCR had 882 data breaches listed as still under investigation. 97% of all complaints and data breach investigations have been successfully resolved. Some investigations warrant financial penalties, and while the number of penalties has increased, the penalty amounts for HIPAA violations have been decreasing. Most of the financial penalties in 2022 were under $100,000. Since 2019, the majority of financial penalties imposed by OCR have been for HIPAA right of access violations, all of which stemmed from complaints from individual patients who had not been provided with their medical records within the allowed time frame. OCR continues to pursue financial penalties for other HIPAA violations, but these penalties are rare. HIPAA enforcement by state attorneys general is relatively rare. Only three financial penalties were imposed in 2022 by state attorneys general. In these cases, penalties were imposed for violations of the HIPAA Rules and state laws. Author:Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Delivered via email so please ensure you enter your email address correctly. Your Privacy Respected HIPAA Journal Privacy Policy Delivered via email so please ensure you enter your email address correctly. Your Privacy Respected HIPAA Journal Privacy Policy HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines. HIPAA Journal’s goal is to assist HIPAA-covered entities achieve and maintain compliance with state and federal regulations governing the use, storage and disclosure of PHI and PII. Receive weekly HIPAA news directly via email HIPAA News Regulatory Changes Breach News HITECH News HIPAA Advice
Get Help With Your HIPAA Compliance Your Privacy Respected Please see HIPAA Journal privacy policy For Individuals Show Your Employer You Have Completed The Best HIPAA Compliance Training Available With ComplianceJunction’s Certificate Of Completion Your Privacy Respected HIPAA Journal Privacy Policy
AUSTIN – A newly unsealed federal grand jury indictment charges Mark Sokolovsky, 26, a Ukrainian national, for his alleged role in an international cybercrime operation known as Raccoon Infostealer, which infected millions of computers around the world with malware. According to court documents, Sokolovsky, who is currently being held in the Netherlands pursuant to an extradition request by the United States, conspired to operate the Raccoon Infostealer as a malware-as-a-service or “MaaS.” Individuals who deployed Raccoon Infostealer to steal data from victims leased access to the malware for approximately $200 per month, paid for by cryptocurrency. These individuals used various ruses, such as email phishing, to install the malware onto the computers of unsuspecting victims. Raccoon Infostealer then stole personal data from victim computers, including log-in credentials, financial information, and other personal records. Stolen information was used to commit financial crimes or was sold to others on cybercrime forums. In March 2022, concurrent with Sokolovsky’s arrest by Dutch authorities, the FBI and law enforcement partners in Italy and the Netherlands dismantled the digital infrastructure supporting the Raccoon Infostealer, taking its then existing version offline. Through various investigative steps, the FBI has collected data stolen from many computers that cyber criminals infected with Raccoon Infostealer. While an exact number has yet to be verified, FBI agents have identified more than 50 million unique credentials and forms of identification (email addresses, bank accounts, cryptocurrency addresses, credit card numbers, etc.) in the stolen data from what appears to be millions of potential victims around the world. The credentials appear to include over four million email addresses. The United States does not believe it is in possession of all the data stolen by Raccoon Infostealer and continues to investigate. The FBI has created a website where anyone can input their email address to determine whether it is contained within the U.S. government’s repository of Raccoon Infostealer stolen data. The website is raccoon.ic3.gov. If the email address is within the data, the FBI will send an email to that address notifying the user. Potential victims are encouraged to fill out a detailed complaint and share any financial or other harm experienced from their information being stolen at FBI’s Internet Crime Complaint Center (IC3) at ic3.gov/Home/FileComplaint. “This case highlights the importance of the international cooperation that the Department of Justice and our partners use to dismantle modern cyber threats,” said Deputy Attorney General Lisa O. Monaco. “As reflected in the number of potential victims and global breadth of this attack, cyber threats do not respect borders, which makes international cooperation all the more critical. I urge anyone who thinks they could be a victim to follow the FBI’s guidance on how to report your potential exposure.” “I applaud the hard work of the agents and prosecutors involved in this case as well as our international partners for their efforts to disrupt the Raccoon Infostealer and gather the evidence necessary for indictment and notification to potential victims,” U.S. Attorney Ashley C. Hoff said. “This type of malware feeds the cybercrime ecosystem, harvesting valuable information and allowing cyber criminals to steal from innocent Americans and citizens around the world. I urge the public to visit the FBI’s Raccoon Infostealer website, find out if their email is within the stolen data, and file a victim complaint through the FBI’s IC3 website.” “Today’s case is a further reminder the FBI will relentlessly pursue and bring to justice cyber criminals who seek to steal from the American public,” said FBI Deputy Director Paul Abbate. “We have once again leveraged our unique authorities, world-class capabilities, and enduring international partnerships to maximize impact against cyber threats. We will continue to use all available resources to disrupt these attacks and protect American citizens. If you believe you’re a victim of this cybercrime, we urge you to visit raccoon.ic3.gov.” “This case highlights the FBI’s unwavering commitment to work closely with our law enforcement and private sector partners around the world to hold cybercriminals accountable for their actions and protect the American people from cybercrime,” said FBI Special Agent in Charge Oliver E. Rich Jr. “This case also serves as a reminder to public and private sector organizations of the importance to report internet crime and cyber threats to law enforcement as soon as possible. Working together is the only way we’re going to stay ahead of rapidly changing cyber threats.” “This indictment demonstrates the resolve and close cooperation of the Army Criminal Investigation Division and the FBI working jointly to protect and defend the United States,” stated Special Agent in Charge Marc Martin, Army CID’s Cyber Field Office. “Army CID would also like to thank our law enforcement partners in Italy and the Netherlands.” Sokolovsky is charged with one count of conspiracy to commit computer fraud and related activity in connection with computers; one count of conspiracy to commit wire fraud; one count of conspiracy to commit money laundering; and one count of aggravated identity theft. The Amsterdam District Court issued a decision on September 13, 2022, granting the defendant’s extradition to the United States. Sokolovsky has appealed that decision. If convicted, Sokolovsky faces a maximum penalty of 20 years in prison for the wire fraud and money laundering offenses, five years for the conspiracy to commit computer fraud charge, and a mandatory consecutive two-year term for the aggravated identity theft offense. A federal district court judge will determine any sentence after considering the U.S. Sentencing Guidelines and other statutory factors. The FBI’s Austin Cyber Task Force, with the assistance of the Department of the Army Criminal Investigation Division (Army CID), is investigating the case. The FBI Austin Cyber Task Force is supported by Army CID, Austin Police Department, the Naval Criminal Investigative Service, the Round Rock Police Department and the Texas Department of Public Safety. Victims of the Raccoon Infostealer can find more information at www.justice.gov/usao-wdtx/victim-assistance-raccoon-infostealer. Assistant U.S. Attorneys Michael C. Galdo and G. Karthik Srinivasan are prosecuting the case. The Department of Justice’s Office of International Affairs is assisting with foreign evidence requests and the extradition request. U.S. Attorney Hoff and Special Agent in Charge Rich would also like to thank the FBI Legal Attachés in Rome, The Hague, and Warsaw for their assistance in the investigation and disruption of the Raccoon Infostealer, along with the following foreign partners: Ministry of Justice of Italy; Special Unit for the Protection of Privacy and Technological Fraud of the Italian Guardia di Finanza; Procura della Repubblica di Brescia; the Netherlands Ministry of Justice and Security; Netherlands Police; and Netherlands Public Prosecution Service. An indictment is merely an allegation and the defendant is presumed innocent until proven guilty beyond a reasonable doubt in a court of law. ###
An official website of the United States government Here’s how you know The .gov means it’s official. Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site. The site is secure. The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
Share CMS Notifying Potentially Involved Beneficiaries and Providing Information on Free Credit Monitoring The Centers for Medicare & Medicaid Services (CMS) is responding to a data breach at Healthcare Management Solutions, LLC (HMS), a subcontractor of ASRC Federal Data Solutions, LLC (ASRC Federal), that may involve Medicare beneficiaries’ personally identifiable information (PII) and/or protected health information (PHI). No CMS systems were breached and no Medicare claims data were involved. Initial information indicates that HMS acted in violation of its obligations to CMS and that the incident involving HMS has the potential to impact up to 254,000 Medicare beneficiaries’ personally identifiable information out of the over 64 million beneficiaries that CMS serves. This week, CMS is mailing beneficiaries that have been potentially impacted a letter from CMS notifying them directly of the breach. A copy of that letter can be found below. “The safeguarding and security of beneficiary information is of the utmost importance to this Agency,” said CMS Administrator Chiquita Brooks-LaSure. “We continue to assess the impact of the breach involving the subcontractor, facilitate support to individuals potentially affected by the incident, and will take all necessary actions needed to safeguard the information entrusted to CMS.” The services provided to CMS under the contract with ASRC Federal include resolving system errors related to Medicare beneficiary entitlement and premium payment records. The contractors’ services also support the collection of Medicare premiums from the direct-paying beneficiary population. The contractor does not handle Medicare claims information. CMS is notifying Medicare beneficiaries whose PII and/or PHI may have been put at risk as a result of the breach that they will receive an updated Medicare card with a new Medicare Beneficiary Identifier, be offered free-of-charge credit monitoring services, and will provide additional information about the incident. Sample letter to potentially affected beneficiaries: [CMS LOGO]
Dear <<BENEFICIARY>> We are writing to inform you of a potential privacy incident involving your personal information related to Medicare entitlement and premium payment records. The Centers for Medicare & Medicaid Services (CMS), the federal agency that manages the Medicare program, is sending you this letter so that you can understand more about this incident, how we are addressing it, and additional steps you can take to protect your privacy. We will issue you a new Medicare card with a new Medicare Number and have provided information with this notice on free credit monitoring services. This does not impact your Medicare benefits or coverage. What Happened? On October 8, 2022, Healthcare Management Solutions (HMS), LLC, a CMS subcontractor, was subject to a ransomware attack on its corporate network. HMS handles CMS data as part of processing Medicare eligibility and entitlement records, in addition to premium payments. Initial information indicates that HMS acted in violation of its obligations to CMS, and CMS continues to investigate the incident. No CMS systems were breached, and no Medicare claims data were involved. On October 9, 2022, CMS was notified that the subcontractor’s systems had been subject to a cybersecurity incident but CMS systems were not involved. As more information became available, on October 18, 2022, CMS determined with high confidence that the incident potentially included personally identifiable information and protected health information for some Medicare enrollees. Since then, CMS has been working diligently with the contractor to determine what information and which individuals may have been impacted. What Information Was Involved? After careful review, we have determined that your personal and Medicare information may have been compromised. This information may have included the following: No claims data were involved in this incident. What We Are Doing When the incident was reported, we immediately started an investigation, working with the contractor and cybersecurity experts to identify what personal information, if any, might have been compromised. CMS is continuing to investigate this incident and will continue to take all appropriate actions to safeguard the information entrusted to CMS. What You Can Do At this time, we’re not aware of any reports of identity fraud or improper use of your information as a direct result of this incident. However, out of an abundance of caution we are issuing you a new Medicare card with a new number. CMS will mail the new card to your address in the coming weeks. In the meantime, you can continue to use your existing Medicare card. After you get your new card, you should: 1. Follow the instructions in the letter that comes with your new card. 2. Destroy your old Medicare card. 3. Inform your providers that you have a new Medicare Number. While we continue to investigate what, if any, banking information may have been compromised, if you have concerns, please contact your financial institution and let them know your banking information may have been compromised. Additionally, you can enroll in free Equifax Complete Premier credit monitoring service. You do not need to use your credit card to enroll in the service. To activate your free credit monitoring: For questions about the credit monitoring service or to enroll in Equifax Complete Premier over the phone, please call Equifax’s customer care team by (insert date) at <<xxx-xxx-xxxx>>. We have enclosed additional information about other steps you can take to further protect your privacy. For More Information We take the privacy and security of your personal information very seriously. We apologize for the inconvenience this privacy incident has caused. If you have any further questions regarding this incident, please call the Equifax dedicated and confidential toll-free response line at <<xxx.xxx.xxxx>>. This response line is staffed with professionals familiar with this incident who know what you can do to protect against misuse of your information. The response line is available Monday through Friday, <<X>>am to <<X>>pm Eastern. You can also call 1-800-MEDICARE (1-800-633-4227) with any general questions or concerns about Medicare. ### CMS News and Media Group Catherine Howden, Director
Media Inquiries Form 202-690-6145 Sign up to get the latest information about your choice of CMS topics in your inbox. Also, you can decide how often you want to get updates. A federal government website managed and paid for by the U.S. Centers for Medicare & Medicaid Services. 7500 Security Boulevard, Baltimore, MD 21244
Several large-scale data breaches impacted millions of Australians’ personal information in the second half of 2022, as part of a 26% increase in breaches overall, according to the latest Notifiable data breaches report released today. Australian Information Commissioner and Privacy Commissioner Angelene Falk said cyber security incidents in particular can have significant impacts on individuals, and organisations need to be alert to the risks. “We saw a significant increase in data breaches that impacted a larger number of Australians in the second half of 2022,” she said. “Cyber security incidents continue to have a significant impact on the community and were the cause of the majority of large-scale breaches.” Thirty-three of the 40 breaches that affected over 5,000 Australians were the result of cyber security incidents. “Organisations should take appropriate and proactive steps to protect against and respond to a range of cyber threats,” Commissioner Falk said. “This starts with collecting the minimum amount of personal information required and deleting it when it is no longer needed.” Commissioner Falk said organisations need to be vigilant as large-scale compromises of personal information may lead to further attacks. “As personal information becomes increasingly available to malicious actors through breaches, the likelihood of other attacks, such as targeted social engineering, impersonation fraud and scams, can increase. “Organisations need to be on the front foot and have robust controls, such as fraud detection processes, in place to minimise the risk of further harm to individuals,” she said. The Office of the Australian Information Commissioner has clear expectations of best practice with regard to data breach preparation and response, to ensure individuals are protected from harm. “In response to a breach, organisations need to provide information to individuals that is timely and accurate. “As well as setting out the kinds of information breached, the notification must include recommendations about clear steps people should take in response,” said Commissioner Falk. The reporting period also saw the enactment of the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022. Among other things, the Act: “While we will continue to work with organisations to facilitate voluntary compliance, we will use these regulatory powers where required to ensure compliance with the Notifiable Data Breaches scheme,” said Commissioner Falk. “We also welcome the further proposals to strengthen the Notifiable Data Breaches scheme in the Attorney-General’s Department’s Privacy Act review report.” Read the Notifiable data breaches report July to December 2022. 1300 363 992 GPO Box 5288 Sydney NSW 2001 ABN: 85 249 230 937 View all contact details here We acknowledge the traditional custodians of Australia and their continuing connection to land, sea and community. We pay our respects to the people, the cultures and the elders past, present and emerging.
