Local government leaders are legally required to report data breaches to the national data protection authority, delegates heard at an industry event.
Speaking at the ALGA-hosted Tech Leadership Summit in Sydney last week, Orange City councillor and cyber security expert Jeff Whitton told delegates Australia’s Privacy Act states that if personal information is lost they need to inform the Office of the Australian Information Commissioner.
“If you lose it, and it’s in your care, it must be reported,” he said. “The people who own that information also need to know you’ve lost it because hackers can use that information to be them.”
A lot of people think that if they report a data breach to the OAIC they will be in trouble, said Whitton. “That’s not so. They’re there to help you, to advise you. They’re there to help you recover from the incident.”
It’s important to report data breaches because if the commission knows about it, other councils can be protected, said Whitton. “That’s why it needs to be reported so that the intel can be shared amongst the sector.”
Data breaches must be treated as crime scenes and local governments need to have in place an incident response plan, the 100-or so delegates were told. “An incident response plan identifies everything an organisation does,” said Whitton. “What technology it has, what assets it has … because if you don’t know about it, how can you protect it.”
An incident response plan “pinpoints an organisation’s crown jewels”, said Whitton. “The crown jewels is what would bring your organisation to its knees if it was hacked,” he explained.
For councils that would be financial systems and critical infrastructure, delegates were told. “As a council, we have to understand what it is we are trying to protect. And that’s what we need to communicate to councillors,” said Whitton.
When people panic things go bad
An organisation can spend tens of millions of dollars investing in technology to protect themselves, said Whitton, “not really understanding what it was that they were trying to protect – and still get hacked”.
If you have an incident response plan and you do get hacked “everyone knows what to do because it contains playbooks”, said Whitton. “And playbooks are designed to be tested and tested and tested so that when you’re training your teams internally, they know what they’ve got to do.”
Local government decision makers must own the incident response plan, said Whitton. “Because you need to stick to it in times of crisis; you need to follow your own plan. When people panic things go bad.”
Leave a Reply