InfoGovANZ

Information Governance Think Tank

InfoGovANZ

Cleansing and Organizing Unstructured Data Stores in Preparation for Migration – ActiveNav

by

Background

Regional wholesaler and largest supplier of treated water in the United States serving 19 million people, The Metropolitan Water District of Southern California (The “District”) had accumulated 80 TB of data over 30 years of file share use. With 1800 employees, the process to clean up the data was not only a technical feat, but also a daunting organizational project.

A District-wide employee assessment determined the legacy file systems were not meeting the District’s needs for sharing information among staff and stakeholders. Staff reported they could not readily find information needed for daily operations and much of the data appeared obsolete.

To improve information access and governance, the District planned to migrate its file share data to the cloud and tag it with searchable metadata. However, they realized that first the data needed to be understood, cleansed, and better organized.

At a Glance

ABOUT

  • Public Sector Utility 1800 Employees
  • 17 Major Business Units

CHALLENGES

  • 80 TB of content
  • more than 5 million folders
  • 200+ file shares
  • File system data had become an obstacle to productivity

RESULT

  • Indexed 40+ million files
  • 40% of data was ROT or duplicated
  • Restructured to align with business operations

PROCESS

  • Discover what data existed on the file shares
  • Decide what had no operational value
  • Sustain compliance and record management requirements

Setting Up for Success

To ensure a successful cloud migration the District planned a two phase strategy:

  1. Discover: The District’s more than 200 file shares were, among other things, an obstacle to productivity. The first step was the daunting task of discovering what data existed on the file shares so then, they could decide was worth keeping.
  2. Decide: In order to decide the value of maintaining data or discarding it, ActiveNav met with over 400 stakeholders across 190 sub-business units and teams. Once the decision to keep the data was made, it was then prepared for migration to the cloud.
  3. Sustain: Cloud migration and metadata tagging of 40 million files / 80 TB meant that the District was set up for sustainable records compliance.

Originally, the District’s data comprised over 40 million files which included:

  • Engineering drawings
  • Photos
  • Videos
  • System files
  • All manners of office documents from every department

The District knew it needed automated tools and expert assistance to discover the data and facilitate its cloud migration strategy. It selected the ActiveNav file discovery and management system and engaged professional services for consultation.

“I’m confident today that by using and partnering with ActiveNav, the work over the last few years has positioned us well for taking the next step of deploying an ECM system and actually having that technology work as intended because of the foundation built and the prep work ActiveNav allowed us to do,” said Steve Gonzales, Information Governance and Enterprise Content Management Manager.

Making Sense of the Data

During phase 1, Discovery, the District’s information management specialists team and ActiveNav’s consultants indexed over 200 file share name spaces. The team conducted data review sessions with business units to evaluate suspected ROT data identified by Discovery Center’s out-of-the-box ROT rules.

During phase 2, Decide, ActiveNav worked with more than 400 stakeholders from business units to decide on the value of the indexed data. Some business units identified as much as 40% of their file share data as being ROT, redundant, obsolete, and trivial (ROT) data and had no operational value and was no longer subject to record retention. This ROT would be excluded from migration to the cloud and deleted after final governance review. ActiveNav helped business units restructure their folders to consolidate them and decide what aligned with present day operations. The result was a streamlined and logical folder structure containing files cleansed of ROT. Business units enthusiastically participated, saying they had wanted to do file cleanup for years but did not have the tools required.

Gonzales added, “Change management was also a big piece. We’ve been doing things the same way for a very long time. The technology made it easy so we could truly focus on change management. One of the most successful outcomes of this project to date is how quickly peoples’ behavior changed. I’d say the vast majority bought in very early on, even people that were nervous about this project.”
One of the most successful outcomes of this project to date is how quickly peoples’ behavior changed. I’d say the vast majority bought in very early on, even people that were nervous about this project.

In addition to data cleansing and restructuring, ActiveNav’s file content analysis capabilities were used in support of other information governance objectives, including:

  • Identifying terminology used by business units to help update the District’s records retention schedule.
  • Identifying and categorizing documents related to specific elements of the District’s vast infrastructure such as pumping stations, water treatment plants, dams, hydroelectric plants, reservoirs, pipelines, and canals.
  • Identifying duplicate and overlapping folder paths leading to the same file content.

“I want to emphasize that I look at ActiveNav as having a multifaceted approach to our project in particular. It wasn’t only the software that got us to where we are today, but the capabilities of the ActiveNav team and how we really, truly depended on that to have success in this area,” says Steve Gonzales. “We refer to ActiveNav as our strategic partner and think the combination of their services and its technical solution is really what made us successful.”.

Meeting Future Needs

With ActiveNav Governance, the District was able to complete discovery and prepare to take the next step toward cloud migration. The District plans to further utilize ActiveNav in migrating the cleaned-up file shares into its new cloud repository. Once migrated, the District will use ActiveNav’s file analysis capabilities to categorize, tag and sustain files.

ActiveNav’s combination of services and technical solutions set the District up for the future compliance sustainability, which includes remaining compliant and meeting record management requirements. The District recognized how ActiveNav’s repeatable process of discovering, deciding and sustaining their information governance helped them get their employees to change their behavior and encouraged them to adopt plans and strategies for the future.

The Bottom Line

Again, without ActiveNav I don’t know that our organization would be ready today to take those next steps. Thankfully, it was a very enjoyable project because of those outcomes, and certainly the highlight of my career that, again, I was able to enjoy thanks to that partnership and the outcomes and success that we accomplished together.
Steve Gonzales, Information Governance and Enterprise Content Management Manager at The Metropolitan Water District of Southern California.

Originally published at ActiveNav here.

Privacy Act Review Report

by

The long awaited report reviewing Australia’s Privacy Act 1988 has been released by the Australian Government, proposing significant changes including individual rights modelled on the GDPR, such as the right to request erasure, and notification of databreaches to Office of the Australian Information Commissioner within 72 hours.

Attorney-General Dreyfus’ statement releasing the report says, ‘the Privacy Act has not kept pace with the changes in the digital world. The large-scale data breaches of 2022 were distressing for millions of Australians, with sensitive personal information being exposed to the risk of identity fraud and scams.’

In relation to security, destruction and notifiable databreaches the report states, ‘recent large-scale data breaches have highlighted the vast amount of personal information that is collected and retained by entities, and the need for entities to put in place stronger protections to prevent unauthorised access to Australians’ information. The best way to protect personal information is for entities to minimise the amount of personal information they collect and retain. The Act already requires entities to only collect what is reasonably necessary and to destroy personal information when it is no longer required. This requirement would be reinforced through enhanced OAIC guidelines for entities on the reasonable steps they should take to destroy or de-identify personal information so that they can be in a better position to meet their obligations. In addition, this Report proposes that entities should determine, and periodically review, the period of time for which they retain personal information. There should be a further review of legal provisions outside of the Privacy Act that require certain forms of personal information to be retained. This further work should determine if those requirements appropriately balance the intended policy objectives with the privacy and cyber security risks of entities holding significant volumes of personal information. The Report also proposes enhancements to the Notifiable Data Breach scheme (NDB scheme) so that, when a data breach occurs, quick action can be taken to minimise harm to affected individuals. Proposed new data breach reporting obligations, including notifying the Information Commissioner (IC) within 72 hours of becoming aware of a data breach, would assist with this objective. The Report also proposes further work to better facilitate reporting processes for entities with multiple reporting obligations.’

The Government is now seeking feedback on the 116 proposals in this report before deciding what further steps to take.

Submissions on the report are due on 31 March 2023.

Read the report here – https://bit.ly/3YAZ9b7

Information Lifecycle Management: what is it and how it reduces risk?

by

Most organisations are collecting and generating exponentially increasing volumes of data each year.  However, many organisations struggle to safely and efficiently dispose of data that is no longer needed for regulatory retention requirements or for legitimate purposes, as required, for example, under the Australian Privacy Principles (APPs), the General Data Protection Regulation (GDPR) and the Californian Privacy Rights Act (CPRA). On top of the complexity of keeping track of data within the organisation, the perception that data is ‘the new oil’ and increasingly cheap storage costs are typical reasons why data is not actively managed and disposed of when no longer required. The Optus Data Breach and the increasing number of decisions by regulators in the US and EU underscore the risk and consequences of over-retention of data for organisations.  Most of these decisions on over-retention of data arise from inadequate cyber security and have resulted in monetary sanctions and, […]
Member only content (join now)

ChatGPT Proves a Mediocre Law Student

by

[Note: InfoGovANZ thanks Craig Bell for permission to republish his article here, which was first published on Ball in Your Court] I recently spent a morning testing ChatGPT’s abilities by giving it exercises and quizzes designed for my law and computer science graduate students. Overall, I was impressed with its performance, but also noticed that it’s frequently wrong but never in doubt: a mechanical mansplainer! If you’re asking, “What is ChatGPT,” I’ll let it explain itself: “ChatGPT is a large language model developed by OpenAI. It is a type of machine learning model called a transformer, which is trained to generate text based on a given prompt. It is particularly well-suited to tasks such as natural language processing, text generation, and language translation. It is capable of understanding human language and generating human-like text, which makes it useful for a wide range of applications, such as chatbots, question-answering systems, and […]
Member only content (join now)

OECD Declaration on Government Access to Personal Data held by Private Sector Entities

by

On 14 December 2022, the OECD members adopted the Declaration on Government Access to Personal Data held by Private Sector Entities. It is an intergovernmental agreement on common approaches to safeguard privacy and other human rights and freedoms when accessing personal data for national security and law enforcement purposes, and seeks to promote trust in cross-border data flows, a critical enabler of the global economy. The scope of the declaration consists of three main sections: Legitimate government access on the basis of common values Promoting trust in cross-border data flows Principles for government access to personal data held by private sector entities You can read the Declaration here - OECD Legal Instruments
Member only content (join now)

OECD Declaration on a Trusted, Sustainable and Inclusive Digital Future

by

On 15 December 2022, the OECD members adopted the Declaration on a Trusted, Sustainable and Inclusive Digital Future. The Declaration calls on the OEDC through the Committee on Digital Economy Policy (CDEP) to develop policy standards and guidance for a trusted, sustainable, inclusive digital future for our countries that reflect shared values and put people at the centre. The background to the Declaration is the accelerated digital transformation, particularly since the COVID-19 pandemic, which has brought opportunity and risk, requiring policy makers to develop whole-of-government policy response and manage related risks. The list of actions is extensive and wide-ranging – you can read them here OECD Legal Instruments .
Member only content (join now)

NIST AI Framework

by

The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released its AI Risk Management Framework (AI RMF 1.0) a guidance document for use by organisations designing, developing, deploying or using AI systems to help manage the many risks of AI technologies. It was released along with a companion NIST AI RMF Playbook, AI RMF Explainer Video, an AI RMF Roadmap, AI RMF Crosswalk, and various Perspectives. To get an overview of the AI national and international regulatory landscape at October 2022, you can read the NSW Information and Privacy Commissioners high-level analysis and overview here - AI National and International Regulatory Landscape - InfoGovANZ
Member only content (join now)

Changes to Australia’s Privacy Act: Overview and Preparation Checklist

by

In the wake of the recent wave of high-profile data breaches at Optus, Medibank and MyDeal, the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 was passed by Federal Parliament on 28 November 2022. The Attorney-General referred to the data breaches as having highlighted ‘the potential to cause serious financial and emotional harm to Australians’ and that the Bill sends a clear message that the government takes privacy, security and data protection seriously.

Penalties have been significantly increased under the Privacy Act 1988 (Cth), and the Privacy Commissioner now has increased powers to resolve privacy breaches. The Notifiable Data Breaches Scheme has also been strengthened.

Increased penalties

Penalties for a serious or repeated breach of privacy have significantly increased from a maximum of $2.22 million to not more than the greater of:

  • $50 million;
  • three times the value of any benefit obtained through the misuse of the information; or,
  • if the value of the benefit obtained cannot be determined, 30% of a company’s domestic turnover in the relevant period, which is a minimum 12 months.

In the Second Reading Speech, the Attorney-General stated that, ‘penalties for privacy breaches cannot be seen as simply the cost of doing business. Entities must be incentivised to have strong cyber and data security safeguards in place to protect Australians.’

Strengthened Notifiable Data Breaches Scheme (NDB Scheme)

The existing NDB Scheme has been strengthened in two significant ways:

  • Empowering the Privacy Commissioner to assess an entity’s compliance with the Scheme’s requirements.
  • Providing the Privacy Commissioner with new information-gathering powers in regard to the Scheme’s reporting and notification requirements.

Enhanced enforcement powers

The Bill has also improved the powers available to the Privacy Commissioner to:

  • resolve privacy breaches by empowering the Commissioner to publish notices about specific breaches of privacy or otherwise ensure those directly affected are informed;
  • compel entities to undertake external reviews to improve their practices to reduce the likelihood of them committing a breach again; and
  • provide new information-gathering powers to conduct assessments and new infringement notice powers that can be used if an entity fails to provide information when required, without the need to engage in litigation.

Extraterritorial powers

The Privacy Act’s extraterritoriality provisions have been amended, so that foreign organisations which ‘carry on a business’ in Australia must meet the obligations under the Privacy Act. In the second-reading speech, the Attorney-General explained that the purpose of this amendment is ‘to ensure Australia’s privacy laws remain fit for purpose in a globalised world and to ensure the Privacy Act can be enforced against global technology companies who may process Australians’ information on servers offshore’.

Greater information sharing arrangements

The Privacy Commissioner has the express power to publish a final determination following a privacy investigation as well as information about their final assessment report. The Commissioner is able to publish information about other matters, such as an update about an ongoing privacy investigation, if it is in the public interest.

The Commissioner is also able to share information with enforcement bodies, alternative complaint bodies and privacy regulators for the purpose of the Commissioner or the receiving body exercising their functions and powers. The Australian Communications and Media Authority also now has better powers to share information within government for enforcement purposes.

The aim of the improved information sharing arrangements is to ‘drive better cooperation between regulators in order to deliver better outcomes for Australians’.

 

PREPARATION CHECKLIST

Review the checklist below to see how well prepared your organisation is to demonstrate compliance with the Australian Privacy Act 1988 (Cth).

1. Policy Compliance

Check that Privacy Policies and Notices are up-to-date and compliant.

  • Audit whether your Privacy Policy is being adhered to within the organisation.
  • Audit whether the collection of personal data accords with the Privacy Notice.

2. Data Minimisation

Check – what personal data does your organisation really need to collect?

One of the critical risks to finally receive attention in Australia arising from the Optus and Harcourt data breaches is the over-collection and over-retention of personal data.

Review Privacy Notices and audit personal data being collected to assess whether it is reasonably required to provide a service or to be collected in accordance with a regulatory obligation to collect and retain that personal data.

3. Data Over-Retention

Check the process for securely disposing personal data.

Audit whether personal data is being disposed of when it is no longer required to be retained in accordance with the organisation’s Records and Archiving Policy or with regulatory requirements to retain records.

In light of the recent high profile data breaches, the over-retention of personal data poses a significant risk for organisations in the event of a serious data breach.

4. Data Map

Ensure there is an up-to-date data map showing where data is stored, particularly personal data, which is essential for:

  • robust information lifecycle management, including disposal of data that is no longer required to be retained;
  • responding efficiently to a serious data breach by being able to quickly identify types of data that have been subject to unauthorised access;
  • demonstrating the measures in place to protect and secure personal data in accordance with the requirements of the Privacy Act.

Check whether it includes identifying and locating personal data in all the organisation’s systems including cloud storage and any third-party systems listed on the data map identifying all the locations where personal data is stored.

5. Data Security

Ensure the organisation is prepared to defend against and respond to cyber-attacks and incidents by assessing whether:

  • Organisational IT policies (BYOD, password, data management, IT procurement, network access) are up to date and being complied with (check via audit).
  • Necessary steps have been taken to protect personal data in the custody of the organisation – e.g. encryption being applied to all personal data both in transit and at rest as required.
  • User, application and backend access controls are correct and up to date. Personal data is being held in locations with limited or just-in-time access.
  • Local, cloud-based and third party controlled applications used by the organisation have been tested for security suitability and approved for use.
  • The organisation has fit-for-purpose security software and hardware to assist in the prevention, detection and response to security incidents (e.g. multi-factor authentication on critical systems particularly those with external access, anti-virus/mal-ware suites, actively managed proxy firewalls, intrusion detection systems, enterprise incident response applications).
  • Proactive steps to build security culture and awareness within the organisation are taking place (e.g. training, education, phishing and social engineering exercises).
  • Relevant security information and performance metrics are being reported to executives and the board.

6. Data Breach Incident Response Plan

Check if your data breach incident response plan has been reviewed and updated. Consider the following elements:

  • Are roles and responsibilities during a data breach clearly laid out and up to date?
  • Are there clear escalation procedures and established arrangements to activate internal or external incident response specialists?
  • Does the plan have sufficient detail and guidance to address both deliberate and accidental data breach incidents, as well as internal and external originating threats?
  • Are there protocols in place for the capture and analysis of logs and other records from critical systems in the event of a suspected breach?
  • Does the response plan provide sufficient guidance on how to approach internal and external communications, particularly with media and customers?
  • Has there been a recent data breach response training exercise carried out involving executives, Board and key players listed in the response plan?

7. Robust Information Governance

Implement and/or review the Information Governance Framework and policies to ensure adequate holistic information governance reporting, identifying and monitoring privacy compliance across the organisation, including the various areas of privacy and legal, IT and cybersecurity and records and information siloes.

A robust enterprise-wide information governance framework provides a mechanism to coordinate and collaborate across the organisational siloes and to promote an information and data protection culture led from the top-down to minimise privacy and data breach risks.

At least one-third of all data breaches are caused by human error and many other successful cyberattacks are greatly enabled by human error from within an organisation.  Robust information governance can greatly assist in both minimising data and information risks as well as enabling organisations to maximise data and information value.

Authors: Susan Bennett, Founder and Executive-Director InfoGovANZ and Dr Peter Chapman, Forensic Technology Expert and InfoGovANZ Advisory Board

NSW introduces Mandatory Notification of Data Breaches

by

On 16 November 2022, the NSW Parliament passed amendments to the Privacy and Personal Information Protection Act 1998 (PIPA). The amendments to the PPIP Act aim to strengthen privacy legislation in NSW by:

  • creating a Mandatory Notification of Data Breaches (MNDB) Scheme which will require public sector agencies bound by the PPIP Act to notify the Privacy Commissioner and affected individuals of data breaches involving personal or health information likely to result in serious harm; and
  • applying the PPIP Act to all NSW state-owned corporations that are not regulated by the Commonwealth Privacy Act 1988 

The MNDB Scheme will require agencies to satisfy other data management requirements, including to maintain an internal data breach incident register, and have a publicly accessible data breach policy.  Read the media release and statement here from NSW Privacy Commissioner, Samantha Gavel on guidance and resources to prepare for the new Scheme to ensure the required systems, processes and capability is in place.

The amendments to the PPIP Act can be accessed on the NSW Parliament website here.

AI National and International Regulatory Landscape

by

The NSW Information and Privacy Commissioners have undertaken a high level scan of the national and international regulatory relevant to AI, which includes:

  • Governance models used internationally in regulating AI and a recognition of Horizontal and Hybrid (broad based and legislative/policy) and Vertical (rights specific and single treatment type) approaches to AI regulation.
  • High level categorisation of risks to information access and privacy rights that arise in the use of AI together with treatments to manage identified risks.

Read the full report here.

InfoGovANZ is delighted to announce a new platinum sponsorship with Ansarada

by

Ansarada is a global information governance platform that companies, advisors and governments rely on for securely managing their critical information in high-stakes processes like deals, risk, compliance, board governance and infrastructure procurement. Ansarada is the software relied upon by business professionals in over 180 countries worldwide.

As businesses grow and get more complex, processes are often the first thing to slip. Ansarada puts an end to inefficient, chaotic, outdated and risky systems by providing a comprehensive toolkit for all things governance. Run everything from risk and compliance to ESG programs to audits in one centralised hub. A little more order, a lot less risk.

Ansarada believes when information and processes are structured correctly, organisations gain the insight and confidence required to achieve better outcomes.  Ansarda’s mission is to protect and raise every company’s potential and we are delighted that Ansarada are committed to working the members of InfoGovANZ and to support the community in achieving global best practices in information governance and innovation. Together we can seek to ensure that the professional discipline of information governance is recognised as a key component of governance strategies to effectively govern, align and manage the risks and opportunities arising from the exponential growth of data in the information age.

We look forward to Ansarada becoming a valued member of the InfoGovANZ community.

UK Department of Education reprimanded after misuse of personal information of up to 28 million children

by

The UK’s Information Commissioner, John Edwards, has issued a reprimand to the Department for Education following the prolonged misuse of the personal information of up to 28 million children and a failure to do due diligence on who could access pupils’ learning records. An employment screening firm, trading as Trustopia, used the database to assist another organisation in checking if people opening online gambling accounts were 18.

Read more here.

What is ‘dark data’ and how is it raising carbon footprints?

by

In this article from the World Economic Forum, Tom Jackson and Ian R. Hodgkinson identify that organisations need to think about how to manage their data to minimise their digital carbon footprint.

Storage of ‘dark data’ defined as single-use data in the article, data takes up space on servers and results in increased electricity consumption.  The authors point out that digitization generated 4% of global greenhouse gas emissions in 2020.

To read more on how dark data contributes to carbon emissions, and how organisations can lower their carbon footprint, click here.

COVIDSafe privacy report

by

In November, OAIC published their final COVIDSafe privacy report in accordance with s 94ZB of the Privacy Act, which examined compliance and risk throughout the ‘information lifecycle’ of COVID app data collected during the pandemic.

Read the COVIDSafe Report May–November 2022 here.

Balancing Organisational Accountability and Privacy Self-management in APAC

by

The Asian Business Law Institute and Future of Privacy Forum has published a report providing a detailed comparison of the requirements for processing personal data in 14 jurisdictions in APAC including Australia, China, India, Indonesia, Hong Kong SAR, Japan, Macau SAR, Malaysia, New Zealand, the Philippines, Singapore, South Korea, Thailand, and Vietnam.

Individual reports for these 14 jurisdictions can be accessed here: ABLI-FPF Convergence Series – Balancing Organizational Accountability and Privacy Self-management in Asia-Pacific.

RIMPA and InfoGovANZ announce continued alliance

by

InfoGovANZ and RIMPA Global Signature

RIMPA and InfoGovANZ are delighted to announce their continued alliance.

RIMPA has been aligned with InfoGovANZ for some years enabling members to embrace and learn from InfoGovANZ leaders in information governance.

The term ‘information governance’ brings together a broad range of professionals from information and records management, legal, privacy, eDiscovery, cybersecurity and information security, AI, data analytics and infonomics.  InfoGovANZ continues to lead the region on information governance thought leadership, innovations and global best practices through its international community.  RIMPA brings a rich history and expertise in records and information management to the InfoGovANZ community.   Our organisations provide important forums for the latest  learning, education and collaboration for our respective members.

Working towards a global framework, RIMPA embrace what InfoGovANZ represent as the leaders in our region bringing together information governance thought leaders globally to promote best practices.

We look forward to the continued alliance and a range of learning opportunities for our respective members in 2023.

Susan Bennett, Executive Director, InfoGovANZ and Anne Cornish, CEO, RIMPA 

7 December 2022

Questions for boards to ask about cybersecurity

by

The Australian Cyber Security Centre  (ACSC) has released a guide for boards and executives that discusses high-level topics to know about cyber security within organisations.  Boards need to proactively build an understanding of their organisation’s specific cyber threat and risk environment.

The Guide sets out how the board can understand as much as possible about cyber security risks, how they can stay informed and the questions they should be asking to mitigate cyber risks.

Read the ACSC Guide here.

LawFest 22: Re-connecting & challenging your thinking

by

On 28 September, 365 legal professionals from across Aotearoa and abroad gathered in person in Auckland for the premier legal innovation and technology event on the New Zealand calendar.

LawFest is the only opportunity in New Zealand for the legal and technology community to come together to network, collaborate and learn about how to innovate and adapt to change – and to do so in-person ! After the disruption we have collectively faced over the past couple of years, there was even greater appreciation of the value of face-to-face connection!

The event was once again a must for anyone interested in driving efficiency in their organisation.

 

The key highlights

The one-day event was a great opportunity to hear from leaders and change makers in the innovation space. The programme provided something for everyone, from those new to technology, to those currently at the forefront of legal innovation.

Over 25 amazing speakers, delivered practical insights of how to innovate and leverage technology to help you deliver legal services for today and the future. From Developing an Innovative Mindset, Client Centred Innovation, NewLaw, Digital Transformation, Wellbeing, Māori Transformational Leadership, Privacy, Trust & Technology, AI, eDiscovery, Responding to Data Breaches, Attracting new Clients through to Legal Design, LawFest had something for everyone.

Frances Valintine CNZM, founder at Tech Futures Lab was the opening keynote as she inspired and challenged thinking with her expertise in creating a mindset that is adaptable and embraces change. Frances delivered practical tips to help you with your innovation initiatives and prepare you for now and the future. She reinforced the importance to be inspired and empowered to take risks, step off the conveyor belt, think originally, and lead with possibility – to create greater value for your clients.

The day was wrapped up by a fantastic final keynote by Mark A. Cohen – one of the world’s leading legal industry thought leaders. Mark examined the key elements of New Law and how legal professionals can prepare for it and be ready to embrace it, whilst challenging the thinking of all in attendance.

PwC NewLaw Directors, Marlo Osborne-Smith and Eric Chin provided powerful frameworks, strategies and solutions to help shape and accelerate the digital transformation journey of legal teams.

 

InfoGovANZ founder & Executive Director Susan Bennett, moderated a session on Privacy, Trust & Technology: Innovation with Accountability, joined by Sarah Auva’a, Lead Digital Trust Partner, Spark and Emma Maconick, Head of Data and Technology, EY Law. This wide-ranging discussion answered critical questions including what is privacy-by-design and security-by-design, why trust and ethics matter, how good governance can help mitigate risk and how to make the business case for investment in privacy and governance projects – as well as the highly topical Optus data breach.

One of the fantastic additions this year was the highly popular breakout streams for those from law firms, in-house and exciting Tech Talks. Sara Rayment of Inkling Legal, led fantastic legal design sessions to both the law firm and in-house streams, providing ideas they could take back and implement.

Bringing everything together superbly was the MC, Helen Mackay of Juno Legal.

 

LawFest is the only event in New Zealand providing the opportunity to meet and see leading legal technology in the large exhibition hall, together with live legal tech demonstrations. This year LawFest featured the largest Expo of tech providers ever assembled at a New Zealand legal event. From start-ups, through to global household names – if you provide legal tech in New Zealand (or simply want to start) you were at LawFest.

The great content was complimented by fantastic networking opportunities, as the legal community were able to re-connect and network in-person – something we have all missed the value of over the past few years.

With LawFest 22 behind us, the focus now shifts to LawFest 23 on 1 June, where we will look to explore further how to adapt and thrive in an ever-changing legal market.

 

Author:

Andrew King, Founder and Strategic Advisor – E-Discovery Consulting

OAIC Notifiable Data Breaches Scheme – The first 4 years

by

The Notifiable Data Breaches (NDB) scheme commenced in February 2018, introducing new obligations for Australian government agencies and private sector organisations with an annual turnover of $3 million AUD or more. Notably, under the NDB scheme organisations are required undertake an assessment should they suspect: 

  • Unauthorised access to or disclosure of personal information, or loss of personal information where access by unauthorised persons is likely to occur, 
  • Serious harm to the individuals to whom the information relates is likely to occur, and 
  • The risk of serious harm cannot be addressed through remedial action. 

If the assessment indicates that serious harm is likely to result from a data breach, they must notify the Office of the Australian Information Commissioner (OAIC) as well as all affected individuals so they can take action to address possible consequences and also. As data breaches and subsequent investigations are often significantly complex, an organisation or agency is given a baseline of 30 days to assess whether a data breach is likely to result in serious harm. However, once the organisation has formed the view that a data breach has occurred, individuals who may be seriously impacted by the data breach must be notified as soon as practicable. For example, in their recent data breach Optus has indicated that the assessment process took place over the course of no more than a couple of days prior to start of the notification process. 

The OAIC has published bi-annual reports summarising the details of reported data breaches since 2018 and this article examines some of the identifiable trends in these reports over the past four years. The OAIC report for the most recent 6-month period (Jan-Jun 2022) should be released in the next few weeks, however some released statistics from the impending report indicate that the observed trends discussed in this article continue through the most recent period. The full OAIC reports are available from https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics, and further information is available on the OAIC website: https://www.oaic.gov.au/privacy/data-breaches 

Organisations that fail to report a notifiable data breach can be subject to the same penalty as if they committed a serious or repeated breach of privacy, however organisations may look for a defensible reason to avoid reporting a breach as opposed to having to report a data security failure to the regulator. Even serious breaches where substantive personal data has been lost might be considered non-notifiable should the breached organisation feel they have undertaken sufficient remediation action which lessens the chance of serious harm.  

Ransomware attacks, one of the common externally perpetrated data breach events, have evolved in recent years to extend beyond holding data in an encrypted state and often now include the exfiltration of sensitive data from target organisations. Data is often held by the attacker, with the threat of publication on the dark web balanced against payment of the ransom. Should the breached organisation make payment of the ransom, the attacker generally will agree to delete the exfiltrated data. While it is essentially impossible to be certain that all copies of this data have been deleted, a breach organisation is likely to consider such an arrangement as sufficient “remediation” of the breach event in that the likelihood of the data being used in such a way that would cause serious harm to individuals is substantially reduced. In such circumstances, the breached organisation may choose not to report the incident to the OAIC, despite the severity of the initial data breach.

Breach Notification Trends 

Due to the complex nature of data breaches and reclassification of notifications over time, there is some variation in breach notification statistics between the time of OAIC publication and the present date. The stats shown in this article are taken from each quarterly/bi-monthly report which reflected notification data at the time of report publication, however it should be noted that breach statistics will have changed to a degree from what we have summarised from the OAIC reports. 

Over the past 4 years, there have been more than 3,500 reported data breaches, of which 60% were Malicious (or criminal), 35% were Human Error and 4% were due to System Faults. Taking into account that 2018 was a partial reporting year, approximately 1,000 breaches would have been reported to the OAIC across 2018 and 2019, with a slight uptick in 2020 and a substantial reduction in 2021. A summary of the data breach notifications made to the OAIC are displayed in the table immediately below 

Year  Breaches  Change  Malicious  Change  Human error  Change  System fault  Change 
20181  749    449    265    35   
2019  997  0%  625  +4%  329  -7%  43  -9% 
2020  1,057  +6%  627  0%  380  +16%  50  +16% 
2021  910  -14%  545  -13%  324  -15%  41  -18% 
Total  3,713    2,246    1,298    169   

 The table above also shows that malicious action breach incidents (combining both internal and externally originated) increased in 2019 compared against “non-malicious” breach types, however this trend was reversed in the following year. This was followed by was a slight reduction in all types of breach notifications in 2021. Overall, the OAIC NDB reports show a fairly flat trajectory over the length of the scheme.  

Conversely, US data on publicly reported data breaches over this time period shows year on year increases between 2018 and 2021, effectively doubling from 1,244 to 2,407 per year over this time period2. It is worth noting that data breach reporting requirements in the US vary from state to state and are substantially different to the Australian NDB scheme. However, the significant difference in the overall trend of breach reports is still interesting, particularly as the US Data indicate that the number and severity of malicious cyber-attacks appear to be increasing over time 3 in contrast, the declining number of reported malicious breaches (as well as non-malicious breaches) in the Australian NDB data suggests there may be other systemic factors at play with regards to the number and type of breaches reported under NDB scheme.   

Number of individuals impacted by a breach 

As can be seen in the table below, the majority of data breaches tend to have low numbers of individuals affected by the breach. However, the number data breaches affecting large numbers of individuals remained fairly steady over the data period, indicating that a significant proportion of the Australian population is likely to have been impacted by a data breach throughout this time period. 

Year  Total Breaches  <1k  1k-5k  5k-10k  10k-25k  25k-50k  50k-100k  100k-250k  250k-500k  500k-1m  >1m  Unknown 
2018  749  638  61  15  9  1  4  4  1  0  2  14 
2019  997  834  74  19  16  7  5  5  2  0  5  30 
2020  1,057  890  90  12  13  14  6  2  4  2  7  13 
2021  910  787  71  12  15  7  5  4  2  1  4  2 
Total  3,692  3,149  296  58  53  29  20  15  9  6  16  59 

Kinds of personal information (PI) involved in breaches 

The majority of personal information present in data breaches was contact information, followed almost equally by financial and identity information. The proportions of personal information types present in data breaches has not changed significantly year to year, indicating that there has not been significant changes in the how organisations are holding or protecting particular types of personal information over this period.  

The higher number of breaches relating to contact information will be, to some degree, a function of the fact that only certain organisations need to hold more specific personal information about their customers. Despite the apparent lower impact from breaches relating to contact information, such data is still of substantial value for cyber-criminals for use in phishing and other targeted attacks, and may also be combined with information from other data breaches for more specific criminal use. 

Year  Contact Info  Financial Details  Identity Information  TFN  Health  Other sensitive information 
2018  647  335  273  186  148  61 
2019  817  398  293  255  157  85 
2020  890  408  439  272  184  134 
2021  803  376  432  256  184  140 
Total  3,157  1,517  1,437  969  673  420 

Maliciously originated breaches 

Most forms of malicious/criminal attack have been fairly consistent year-on-year, however ransomware in particular has been increasing year on year and 45% of all ransomware incidents occurred in 2021. The steady increase in this form of money-motivated cyber-attack aligns with anecdotal and industry reports of increases in this type of activity from organised cyber-criminal gangs and certain nation-state actors. 

It is interesting to consider the Optus data breach in the light of whether it would be considered a maliciously originated breach, a system fault, or a combination of both. While it certainly appears the case that a maliciously motivated individual or group has exfiltrated Optus customer data, the methods used remain a matter of debate and have not been fully confirmed by Optus or the federal government. Should it have been the case, an oversight which results in an API (Application Programming Interface) connected to a customer details database being left in an open state to external connections would almost certainly be viewed as a failure of internal systems and procedures. Optus’ CEO has indicated that the breach cause was not as straightforward as this, suggesting a more complex cause involving specific malicious technical action. 

Year  2018  2019  2020  2021  Total 
Malicious Breaches  449  625  627  545  2,246 
Theft paper/Storage  73  80  53  61  267 
Social Engineering  28  52  84  65  229 
Rogue Employee/Insider Threat  41  71  60  54  226 
Cyber (ALL)  307  422  430  365  1,524 
Cyber – Phishing  125  146  132  113  517 
Cyber – Stolen Credentials  79  140  108  100  426 
Cyber – Ransomware  18  29  69  86  202 
Cyber – Hacking  27  34  59  31  151 
Cyber – Brute  34  25  30  18  107 
Cyber – Malware  20  37  24  16  95 
Cyber – Other  5  10  9  2  26 

Human error breaches 

The majority of human error breaches are due to wrongly addressed emails, and this has been consistently the highest category, even with the 15% reduction in 2021.  Unlike malicious or systemic breaches, human error breaches – as classified by the OAIC – have limited technical controls that can be implemented to assist with prevention. Instead, education and procedure remain the best defence against these type of breaches. 

Year  2018  2019  2020  2021  Total 
Human Error Breaches  265  329  380  324  1,298 
Wrong email recipient  74  101  160  136  471 
Wrong hardcopy recipient  33  30  37  18  118 
Loss of hard/soft storage  34  40  25  23  122 
Unintended release/publication  41  76  62  71  250 
Failure to use BCC  22  18  30  25  95 
Failure to redact  14  19  20  23  76 
Unauthorised verbal disclosure  8  19  18  11  56 
Insecure disposal  8  5  2  0  15 
Wrong Recipient (Other)  19  21  25  17  82 
Other  12  0  1  0  13 

 

Business Sector Activity 

The Health, Finance and Business Services sectors collectively made up over 45% of all reported breaches in 2019 and 2020. In 2021, where a substantial reduction of breaches reports were made compared to previous periods, the combined breaches in there three sectors were still approximately 40% of the overall reports. Maliciously originated data breaches in the Legal, Accounting and Management sector was the only category to see a substantial rise in 2021, with almost all other types of breaches in these sectors seeing a decline from the previous year. 

Given the level of highly personal information held by Health sector organisations, the fact that these organisations feature so highly in the NDB statistics is of cause for specific concern. While federal and state legislation provides guidance for the collection, management and use of health data, as well as highlighting the highly confidential nature of such data, Australia currently does not have an equivalent to the US HIPA Act where substantive penalties and sanctions can be levied specifically pertaining to non-criminal use or loss of health data.

Sector  2019  2020  2021  Total 
Health – Malicious  111  97  87  295 
Health – Human Error  106  135  74  315 
Health – System Error  5  6  7  18 
Finance – Malicious  77  98  57  232 
Finance – Human Error  59  47  44  150 
Finance – System Error  10  11  12  33 
Legal, accounting & management – Malicious  60  42  61  163 
Legal, accounting & management – Human Error  25  22  24  71 
Legal, accounting & management – System Error  2  5  1  8 
Total  455  463  367  1285 

The OAIC provide details on the top 5 sectors reporting data breaches over each period. As only the Health, Finance and Legal, Accounting & Management sectors have consistently appeared in the periodic reports, and only the 2019-2021 reporting periods include complete data, only the data from those three sectors and three periods has been included in this analysis.  

 

Observations 

The OAIC official data breach statistics show an overall declining trend in reported breaches under the NDB scheme. On the surface this would potentially represent a good new story – in that organisations are becoming better at preventing data breaches and successful malicious attacks on organisations may becoming fewer. The counter-argument to this observation is the legal advice and remediation response organisations are using to inform their decisions on whether a breach falls under the NDB may have changed over time, resulting in fewer breaches being reported rather than fewer breaches actually occurring. 

The recent data breach incident at Optus has highlighted the widescale impact that a large data breach can have both on the breached organisation and the individuals to which the data belonged to. In terms of the scale, size and type of data that was taken, in addition to the media coverage, there would be little chance that any person assessing this breach would consider that it would not require mandatory reporting. However, in circumstances where a less comprehensive data set was exposed, with substantially fewer affected individuals, the potential for serious harm may not be considered as high, resulting in variable decisions to report.  

A smaller scope breach just involving loss of customer name and address information might be considered to hold lesser chance to cause serious harm by themselves. When such a breach is potentially remediated – say by payment of a ransom – it may be the case that an organisation feels that the breach no longer meets the threshold to require mandatory reporting and notification of affected individuals. However there is little in the way of guarantees that organisations can seek from cyber-criminals who hold exfiltrated data at ransom. The destruction of this data upon payment of a ransom is entirely in the control of the criminals and cannot be verified by the organisation.  

It is also worth noting that a somewhat “lesser” data breach containing names and addresses may be combined with data sets containing account details, passwords and identify information obtained from other breaches. In a similar way that de-identified “Big Data” sets hold the potential for  “re-identifcation” of individuals, combining multiple data sets residing on the dark web following successive breaches of different organisations results in a substantially higher chance of serious harm to affected individuals over time. As such, the OAIC and the Federal Government may wish to consider the provision of further guidance around notification requirements based on the type of data that exposed during a breach as well as what successful remediation of a breach should cover. 

The Optus data breach has also demonstrated that certain types of organisation are required for regulatory reasons to collect more personal information than others. There appears to be substantial uncertainty in the various regulations governing this requirement as to the length of time such information needs to be held and also as to how such information can be used and must be protected by the collecting organisation. Undoubtedly both Federal and State governments in Australia have observed this issue in recent weeks and it can be hoped that specific actions clarifying and improving regulatory requirements around collection, storage, use and disposal of personal information by Australian organisations will be forthcoming in the near future. 

 

Other obligations in reporting an NDB 

Organisations may have other obligations outside of those contained in the Privacy Act that relate to personal information protection when responding to a data breach. These may include data protection obligations under state-based or international data protection laws. Notably, Australian businesses may need to comply with the European Union’s (EU’s) General Data Protection Regulation (GDPR) if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU. 

For data breaches affecting certain categories of information, other mandatory or voluntary reporting schemes may exist. For example, entities may need to consider reporting breaches to: 

  • the entity’s financial services provider 
  • police or law enforcement bodies 
  • the Australian Securities & Investments Commission (ASIC) 
  • the Australian Prudential Regulation Authority (APRA) 
  • the Australian Taxation Office (ATO) 
  • the Australian Transaction Reports and Analysis Centre (AUSTRAC) 
  • the Australian Cyber Security Centre (ACSC) 
  • the Australian Digital Health Agency (ADHA) 
  • the Department of Health 
  • State or Territory Privacy and Information Commissioners 
  • professional associations and regulatory bodies 
  • insurance providers.

Useful resources 

Office of the Australian Information Commissioner https://www.oaic.gov.au/privacy 

Australian Cyber Security Centre (ACSC) https://www.cyber.gov.au/ 

IDCare https://www.idcare.org/about-idcare/what-is-idcare 

Scamwatch https://www.scamwatch.gov.au/ 

MoneySmart https://www.moneysmart.gov.au/ 

The Office of the eSafety Commissioner https://www.esafety.gov.au/ 

Author

Dr Peter Chapman, Director, Forensic Technology – KPMG

Thank you to Matthew Golab, Director – Legal Informatics and R&D at Gilbert and Tobin, for his analysis of the OAIC reports and contribution to this article.

Five Common Misconceptions about Structured and Unstructured Data

by

Key Takeaways:

  • Structured data is quantitative (anything you can easily store in rows and columns) and relatively easier to keep compliant.
  • Unstructured data is qualitative (think your emails and Teams chats) and much harder to manage.
  • Nearly all organizations are operating under one or more misconceptions about their data (and compliance or lack thereof with new privacy laws!).

The Two Types of Data Your Organization is Accumulating (and Why You Should Care)

We’ll start with why you should care.

If you’re familiar with the data compliance space, you already know that new laws require your organization to take specific steps to protect the rights of anyone whose data they hold. (If you’re not familiar with data compliance – surprise!)

The first step to maintaining compliance with these laws is understanding what data your organization actually has. Not having this understanding is dangerous for three reasons:

  • The less you know about your data holdings, the more likely they are to contain noncompliant data. Which means legal action and large fines if they stay that way.
  • In today’s world, it’s not if your data gets breached, it’s when. You want to ensure your data’s in top shape to preserve your organization’s reputation.
  • Cost! And not just in fines and breach remediation expenses. Chances are your organization doesn’t need most of the data it’s holding, and therefore could be saving a bundle on data storage.

The first step to understanding your data holdings is to understand the difference between the two main types of data: structured and unstructured.

Structured data is what probably comes to mind when you hear the word “data”: spreadsheets on spreadsheets filled with quantitative information. Essentially, structured data is anything you can store in rows and columns, such as information stored in databases (think SQL), CSV files, and so on. It’s easily understood and analyzed by applications other than the ones that generated it, and it doesn’t scale easily – which is good for privacy purposes. It doesn’t grow out of control on its own, at least not for a long time.

Unstructured data is the qualitative data naturally generated from interactions with people. Think the text stored in your emails, Teams chats, social media, and websites. It can also comprise images, PDFs, Word docs – anything you can’t store in rows and columns. It’s not usually in a format that other applications can easily understand and analyze. And it multiplies like you wouldn’t believe: how many emails have you sent and received just this week?

Both types carry their own risk, but unstructured data is by far the riskier of the two. In today’s world, we generate it so quickly and in such high volume – and with such little organization –  that it’s functionally impossible to keep track of without using data discovery software.

On the flip side, once you have the right tool, getting to compliance becomes exponentially easier. When you can visualize all your unstructured data, you can see what’s out of compliance, fix that right quick, and understand where your policies and workflows need to change to keep everything above board.

Some Common Misconceptions Your Organization Might Have

We all know an ounce of prevention is worth a pound of cure. And yet: most of us don’t go to the doctor until we get sick.

The compliance world is no different. With regulations still relatively new, most organizations don’t fully appreciate the urgency surrounding the issue – and won’t until they themselves get breached.

If your organization is anything like most, you’re probably operating under one of the following misconceptions.

Misconception #1: We Already Know What Data We Have

Name the last time you checked your Teams log. Or your Downloads folder. Your email archives? You get the idea.

People – and companies – don’t typically monitor or clean these types of things without a push. Without the proper privacy functions in place, we’re liable to think the trash in the ocean isn’t a problem. Until, of course, there’s an island of it.

Misconception #2: We Won’t Get Breached

There is a roughly 30% chance your organization will get breached this year. This stat increases every year.

It’s also possible you’ve already been breached. According to IBM’s annual Cost of a Data Breach report, the average time to identify and contain a breach in 2021 was 287 days.

When you get breached, you can cut the time and expense involved significantly – nearly entirely – by already being in compliance. Compliant data equals a quick, cheap(er) remediation with no additional reputational damage on top of the fact that the breach occurred.

Misconception #3: It’s Too Expensive to Figure Out What We Have

According to that same IBM report, the average cost of a breach in a hybrid cloud environment was $3.61 million. On top of that, compliance failure was the top factor found to amplify data breach costs. And remember, it’s not just the cost of remediating compliance flaws you have to worry about. Regulatory fines are getting steeper every year.

Misconception #4: It’s Too Labor Intensive – We’d Need a Team of Experts

Since data privacy regulations are so new and the solution market is still growing, it’s easy to believe you’d need in-house specialists to operate whichever data discovery solution you ended up going with.

Not if you choose the right one! Specifically, you want to make sure you select a solution that’s purpose-built for ease of use. From deployment to monitoring and at every stage in between, no expert knowledge should be required. Don’t go with a solution that’s been repurposed from another area of the market, such as data loss prevention or data access management.

Misconception #5: Traditional Data Inventory Methods Still Cut It

Back in the day, and still sometimes today, organizations would build data inventories through manual assessments and questionnaires: they’d basically ask their staff what data they thought the organization had.

In today’s world, with data accumulating and multiplying by the second, a manual static inventory won’t do the trick. It’s obsolete as soon as you create it.

To ensure continuous compliance, you need real-time visibility into your data.

Learn more

To learn more about data protection, security and compliance, listen to this podcast published on the Society of Corporate Compliance’s blog.

For more information on how to achieve cost effective and lightning speed visibility into your unstructured data so you can mitigate risk, check out ActiveNav Cloud.

 

Author

Simon Costello, VP – APAC, ActiveNav