unusual activity and to monitor the dark
web for any indication that the data was available or was being traded.
Following the incident the Red Cross
enhanced its information handling practices and provided an enforceable undertaking to engage an independent reviewer to review its third party management policy and standard operating procedure.
Summary
Enterprises including Not-for-profits, like any other organisation that deals with information, should consider the risks associated with cybersecurity. Depending on the size, resources, and the risk itself, the response will vary.
The expansion of directors’ duties to include cybersecurity means that enterprises should consider model responses, such as the Red Cross, and frameworks, such as NIST, when it comes to creating policies or structures that might protect them from liability should there be a cyberattack. Organisations that are unsure about the risks associated with cybersecurity should seek legal advice.
So what happened?
The Blood Service became aware of the incident on 26 October 2016 and took the following steps to respond:
*Continued to engage with the Incident Management Service of AusCERT by
telephone and in person to assist its response to the incident.
*Confirmed (via AusCERT) that a copy of the data file held by the unknown individual and Mr Hunt were deleted.
*Engaged IDcare, an identity and cyber support service, to undertake an independent risk assessment of the personal information compromised. IDcare assessed the personal information as being of low risk of future direct misuse.
*Notified the public and affected individuals on 28 October 2016 that a data breach had occurred by issuing press releases on websites, social media, and notifying affected individuals by text and email.
*Engaged specialist organisations to conduct forensic analysis on the exposed third-party server, monitor the Donate Blood website for any vulnerabilities or
About Vera Visevic
Vera heads up the Not-for- profit team at Mills Oakley. Acting for numerous charities, religious and not-for- profit organisations, Vera has over 20 years' experience in the legal profession. In her work, Vera focuses on governance and fundraising issues, restructuring and mergers and regularly advises on constitutions and ACNC/ATO endorsements.
Vera edits the Clubs & Societies title in the Australian Encyclopaedia of Forms and Precedents, and is an author in “Charity Law”, European Lawyer Reference (2012 and 2016). Further, Vera reviewed the Community Care and Service regulatory compliance module for LexisNexis, covering such topics as the National Disability Insurance Scheme, and community housing. Vera sits on a number of Not-for-profit boards and committees. To find out more please do not hesitate to contact Vera Visevic.
T: +61 2 8289 5812
This article was co-authored with Brian Lee – Law Graduate at Mills Oakley. Brian completed his Bachelor of Laws and Bachelor of Arts majoring in Music at UNSW in 2017. Brian has an interest in emerging issues surrounding cybersecurity and its legal implications on governance frameworks.