In some of our recent blog posts, we have discussed the need for METS companies to have data protection plans in place, and how METS companies can prepare a response plan in preparation for a potential breach. While the threat of a cyber-attack is growing exponentially for all business and governments, the METS industry can be as particularly vulnerable to greater levels of catastrophe, given the nature of its work, such as the commandeering and remote control of equipment and the potential for human interaction and risk a distinct possibility. Greater utilisation of the Industrial Internet of Things and data-sharing and data clouds also increase the risk and potential impact of data breaches in the METS industry.
In today’s post, we will go into further detail on one of the key aspects of data protection: responding to a breach. Managing a data breach or cyber-attack and its consequences is critical, given that the financial impact and disruption to business for a METS company following a cyber incident can be far-reaching and unpredictable. An effective response will help manage and mitigate these consequences as much as possible.
Obviously, data breaches have a wide variety of causes and influencing factors. Different type of confidential information may be involved, and as such both the level and type of risk to a company will vary depending on the breach itself.
This is why preparation for and protection against a data breach is so important in order to minimise the potential for disruption and damages to a business. There is no single, definite way to respond to a data breach, and instead each individual breach has to be dealt with on a case-by-case basis. This requires an understanding of the risks posed by a breach and the best and most effective methods of eliminating or reducing these risks.
An effective data breach response allows a company to reduce or remove harm to affected individuals, while at the same time protecting the interests of the company. With this in mind, there are four key steps that, in general terms, will need to be taken in order to respond to a data breach.
Step 1: Containment
Once a company has discovered or suspects that a data breach may have occurred, it needs to immediately move to contain the breach and prevent any further exposure of data.
This may be stopping the unauthorised practice or access by an employee, or shutting down the system that is subject to a cyber-attack.
During this stage, a strategy should be developed in order to deal with the specific breach at hand. In order to do this, it will be helpful to ask a few key questions. These include:
- How did the data breach occur? Was it accidental or malicious, i.e., a cyber attack?
- Was the threat external or internal? For METS companies, an external threat may be a ‘hacktivist’, State Actor or cybercrime-related. An internal threat may be a rogue or disgruntled employee or an accidental incident.
- Is the breach ongoing or has it now ended?
- What parties have gained access to the personal or company information?
- What steps can be taken to secure any confidential information, or if the breach is ongoing, stop any unauthorised access?
- How can the risk of harm to the company or individuals be reduced?
Step 2: Assessment
The second step involves conducting an assessment of the breach by looking at the facts and making an evaluation of the risks, and where possible, taking steps to reduce or eliminate these risks.
By assessing the data breach and cyber attack, a METS company will be able to gain an understanding of what risks have been exposed as a result of the breach and the best ways to address these. This is particularly important for METS companies as they may be working as part of a larger team, using shared collaborative technology or with other companies on a mine site.
Typically, an assessment will identify things such as:
- The type of data involved in the breach – i.e., personal information of clients or the confidential company information;
- The cause and extent of the breach; and
- The nature of the harm to affected individuals, and if this can be removed or reduced by any remedial action.
In particular, the assessment of what remedial action may be taken should be an ongoing point right from the start, and should not discreet from any other step.
Step 3: Notification
Under this step, an assessment needs to be made as to whether the affected individuals and the Office of the Australian Information Commissioner (if required under Australian law) should be notified of the data breach, and if so, when.
Notification of the data breach can be an important part of the strategy to mitigate the impact, and has the potential to provide benefits to not just the affected individuals but also the company itself. That being said, if individuals or clients are notified about a data breach that has little to no risk of harm, this will cause them unnecessary stress and anxiety, and may needlessly damage the reputation of the company. Furthermore, needless notification may have the side effect of desensitising individuals towards data breaches, meaning that in the event of a more serious breach they may not appreciate the full implications or risks. The key challenge in this step is to determine when notification is appropriate in and of itself. This needs to be done on a case-by-case basis.
In practical terms, notification will allow affected individuals, such as clients, to take steps to limit the divulgence of personal information following a data breach. This may simply be by changing passwords, or otherwise being alert to potential scams or phishing attempts that stem from the breach.
As part of this step, entities covered by the Notifiable Data Breach (NDB) Scheme under the Privacy Actneed to make an assessment as to whether the data breach is likely to cause serious harm, and if so, need to advise the Office of the Australian Information Commissioner of the breach. While a wide range of entities are covered under this legislation, as relating to METS companies this will generally be business organisations with an annual turnover of more than AU$3 million.
Step 4: Review
Finally, a review of the data breach incident should be conducted in order to consider how to improve security and prevent additional future breaches.
This step will take place once the breach has been effectively responded to via steps 1 to 3. A review will allow a company to learn from the data breach / cyber attack in order to improve its cyber-security practices and how it handles personal and confidential information. In particular, if there have been similar breaches in the past, this may be an indication of a systemic issue with security defences or procedures.
A review will typically include things such as:
- A security review to analysis the root cause of the attack or breach;
- Development of a prevention-plan to avoid incidents of a similar nature in the nature;
- A review of overall company policies and procedures in relation to cyber-security to take into account lessons learned; and
- Changes to employee intake selection processes and training procedures.
With the advent of the digital transformation of the METS industry and the amount of technology implemented by METS as part of completing their normal operations, the risk for cyber attacks and data breaches continues to grow.
While in today’s post we have described how a METS company might effectively respond to a data breach or attack, it is critical that cyber-security is proactive and not merely responding to threats as they arise. While every threat, attack or issue will be different, there are a number of steps any METS company can take in order to make their company become cyber-resilient. This involves prevention of cyber-attacks and breaches, and ensuring that companies and operations are able to continue with minimal disruption in the face of a breach by having an effective response-plan in place, and being able to effectively respond to any cyber attack or breach.
Harris Gomez Group is a Common Law firm, with offices in Santiago, Bogotá, and Sydney. We also have legal teams in Peru, Bolivia, Ecuador, Brazil, and Argentina. Over the last 18 years, we have been supporting foreign companies with their growth in Australia and Latin America. Many of our clients are technology companies, service providers and engineering companies that focus on the mining, energy and infrastructure markets.
To better understand how we can support your management team in the Region, please contact us at firstname.lastname@example.org