Australia: Handling privacy incidents: Key recommendations for NSW agencies
NSW Government Bulletin – summer edition

On 18 December 2020, the NSW Auditor-General published its report into Service NSW's handling of personal information regarding a data breach first identified in March 2020. The report made eight recommendations and provided a significant opportunity for Service NSW to elevate its privacy practices. It also contained "important learnings for all NSW government agencies, including local councils and public universities."

Originally, the two separate business email compromise events involved 47 email accounts where around five million documents were at risk, of which half a million were likely to contain personal information. Original reports indicated that around 186,000 NSW residents had been affected.

However, in December 2020, Service NSW revised this figure down to 106,000 people being affected and noting that approximately 25,000 people, who had incorrectly been notified about the breach, were no longer subject to any breach.

The other issue that is of significance is that the information at risk, which was often copies of scanned documents sent by email, were documents held outside of Service NSW's Salesforce CRM system and so were not subject to the same level of security as information that was held within the system. This issue, together with the way their cyber risk and compliance function was managed within the NSW government cluster being outside of Service NSW but under the Department of Customer Service, raised significant operational issues.

Insights

The report contains eight key recommendations for Service NSW and these are spread across a timeline of urgent and immediate matters and matters to be done over the next year. Some of the recommendations could be applied proactively by other agencies or businesses to strengthen their risk position in the event of a business email compromise.

At this year's virtual NSW Government CLE intensive in late February, we will be presenting a case study to drill down into these recommendations and lessons that other agencies can learn and take action to build resilience.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.