The New South Wales government must provide its cyber security agency with a clearer mandate, more independence and increased authority, according to a parliamentary committee report.
The report on cyber security in the state, published on Friday, largely focuses on the cyber attack that breached the email accounts of Service NSW staff last year.
The attack saw the personal details of more than 100,000 people stolen.
Committee chair Tara Moriarty said a lack of best practice cyber security measures within Service NSW had allowed the “shocking incident” to occur.
“Compounding this incident, Service NSW was aware of the risks that led to the attack some 12 months earlier but had not acted sufficiently to address them,” she said in a statement.
“Further, following the attack, the agency took too long to notify those impacted and did not provide them with sufficient information, support and direct assistance throughout the process.”
Last year the NSW Audit Office recommended that Service NSW stop using email to transfer personal customer information to other agencies and implement another solution “as a matter of urgency”, after it found the use of email had contributed to the breach.
The committee has found that Service NSW has “taken steps to reduce its dependency” on using email to send personal information. However, it has not completely stopped using this process, “thereby operating in a way that enabled the data breach”, the report noted.
“The committee urges the cessation of this practice as a matter of priority,” it said.
The committee also found that the NSW government lacks the frameworks and processes needed to sufficiently deal with individuals’ requests for assistance in the event of a breach of their data.
“People who suffer data breaches are left to their own resources and the existing, unsatisfactory state of the law where very few persons are eligible for relief, assuming they have the financial resources to seek it,” it said.
To address this, the committee has recommended the government implement a framework or clear process to “properly and expeditiously” handle such requests for assistance.
Among the other 11 recommendations, the committee has called for the state government to bolster its cyber security policy, and better educate public officials and cyber security professionals. It should also review and enhance the role and mandate of Cyber Security NSW to ensure agencies comply with the state cyber security policy.
“The committee considers that the role of Cyber Security NSW could be enhanced to provide oversight and more direct input on agencies’ cyber security risk assessments and mitigation strategies,” it said.
“The committee recognises that each agency needs to be responsible for its own cyber security, however, there is an opportunity for Cyber Security NSW to have a clearer mandate to ensure agencies are meeting a certain standard.”
Cyber Security NSW should also be moved from within the Department of Customer Service to the Department of Premier and Cabinet to give it more independence and increased visibility and authority, the committee said.
Meanwhile, the responsibility and resourcing of the Privacy Commissioner should be reviewed so the agency can be “more proactive in ensuring government services and systems are designed and delivered with stringent privacy protections”, the committee recommended.
Moriarty said the attack on Service NSW has shown the government needs to do more to protect members of the public and their personal information.
“Proactive, robust and resilient cyber security measures are critical now more than ever,” she said.
“Failing to get cyber security right not only puts citizens at risk, but it undermines trust in government and negatively impacts the state’s economy and business community.”
The government is expected to respond to the report by September 27.