Cyber risk from external bad actors is a keen area of government, public and industry focus right now – but there are also significant risks posed by trusted insiders.
Cyber is having a moment. Ever since a small number of big brand names became synonymous with super-sized data breaches in 2022, focus on organisations’ vulnerability to cyber attacks from organised or opportunistic outsiders has catapulted from the IT team to national-security-level political players.
But last week, a shark attack in Sydney Harbour not only prompted some second thoughts about popping out for an evening swim, but also served as a reminder that data breaches, and other types of privacy harms, can be facilitated by trusted insiders as well.
When ‘gruesome shark bite’ photos of a female patient, taken inside the emergency department of a hospital, popped up on social media, the hunt was on for who leaked the images. The investigation included hospital personnel, attending police officers, and Department of Primary Industries scientists, all of whom had legitimate access to photos (for example, so as to assess what type of shark it was), before the NSW Ambulance Service ‘fessed up that one of its paramedics was behind the leak.
NSW Ambulance has apologised for the breach of the patient’s privacy, but as of yet has not said what action will be taken against their employee.
For NSW public servants, the unauthorised but intentional disclosure of health information, that was gained in the exercise of their official functions, is ‘corrupt disclosure’ (even if no money is changing hands), a crime punishable by up to 2 years imprisonment. And a heads up: anyone else who now shares those images may also be committing a separate crime.
Clearly, the law alone is not enough to stop privacy breaches.
Some people will be motivated by curiosity, greed, fun, financial need, boredom, revenge, family disputes, jealousy, a workplace grievance or the pursuit of power to look up and misuse personal information or confidential records.
Even when the law says it is a crime. Even when they have been warned they could be sacked. (In one case, even when the same employee was warned for doing it previously!)
It happens in hospitals. It happens in police forces. It happens in banks and in credit card companies and hotels. It happens in government departments and in call centres.
Some people will do the wrong thing.
So relying on the law alone to prevent the misuse of personal information by authorised users is about as useful as building a bank vault with an unlocked door and no alarms, but telling customers their money will be safe because it is illegal to steal.
Yet when we conduct privacy compliance reviews for clients, we so often hear some refrain about how “our staff will never misuse personal information because it’s against the law”. A related argument is “… because it’s in our code of conduct”.
We hear this as a reason not to tighten up role-based access controls, implement other risk mitigation strategies, or why comprehensive, auditable privacy compliance training is not needed.
In a recent case involving a human-error-caused data breach, the NSW Civil and Administrative Tribunal placed little weight on the fact that the recipients of the disclosed personal information had privacy obligations under legislation, or confidentiality obligations under contract, which the agency argued should operate to prevent anyone from misusing the information sent to them in error. The Tribunal found that the agency’s “responsibility to have reasonable security safeguards on the personal and health information it has in its possession and control cannot be delegated in this way”.
The message is clear: to protect the privacy of the personal information you hold, you need to apply privacy by design, build in technical controls, train all staff, and enforce a security culture, in order to make attempted misuse – as well as accidental disclosure – as difficult as possible.
Contact us to find out more about privacy compliance training across your organisation, Privacy by Design training for select teams, or how to get your hands on our Checklist of 81 Common Privacy Risks & Controls.
Photograph © Shutterstock