How much of your personal data is held online?
If you have any social media accounts, use online tools and software, own a smartphone, or even simply send emails regularly, chances are information about you is everywhere.
If you operate a business or not-for-profit bound by the Privacy Act, it’s also likely that your company looks after a large amount of this personal data about your customers.
The Australian Government is now holding businesses accountable for their data security
On 22 February 2018, Australia’s federal data breach notification law came into effect. The law makes it mandatory for businesses who are bound by the Privacy Act to self-report certain types of data breaches.
The data breach notification law applies to businesses (and not-for-profits) who are bound by the Privacy Act 1988 (Cth). This includes businesses who have an annual turnover of $3 million or more, health service providers, credit providers, credit reporting bodies and businesses who trade in personal information.
The government has issued some preparation and response information for companies that suffer a data breach. In the event that you do suffer a data breach, they have also provided a reference to evaluate the nature and severity of the breach, and how you must comply.
What does the federal data breach notification law mean for businesses?
The new legislation should encourage an increased focus on online security and privacy protection, threatening significant penalties for businesses who fail to comply. However, you also shouldn’t underestimate the risks of legal action or ending up with a bad reputation as a result of a data breach.
Before this law, Australian businesses had no obligation to let their customers know if data had been compromised. Now, businesses must report any data breach and face the consequences. How would your customers react to the news that a malicious party had accessed or misused their personal data via your business?
Data breaches in the news
You can see a visual representation of all recent data breaches here. Some of the breaches in recent years include:
- 57 million customers affected in 2015.
- Drivers and customers had their names, email addresses, licenses and mobile numbers stolen.
- Uber failed to disclose the breach to regulators.
- Uber’s chief security officer left the company during the scandal.
- 6 million users affected in 2017.
- Hackers scraped email addresses and contact information of users.
- Instagram originally said that only verified accounts were affected, but later admitted that some non-verified users’ details were also stolen.
- Hackers established a searchable database of victims’ contact information for $10 per search within hours of the attack.
- 50 million users affected in 2018.
- Cambridge Analytica, a political consulting firm, illicitly gathered data from users to influence voting decisions in the 2017 US election.
- Although this isn’t technically a data breach, as users ‘volunteered’ information in a third party app, the situation has still caused waves of bad publicity around Facebook’s privacy policies across the world.
- Facebook could have avoided the situation by paying closer attention to the way third parties were accessing and using data.
Rethinking our approach to data security
The volume of data that is collected and harnessed continues to grow exponentially. As a result, businesses are now able to better understand customers, manage interactions and ultimately provide more efficient and effective customer service.
Businesses usually consider security in terms of protecting physical things. We set budget aside for security features such as security passes, locked filing cabinets, alarm systems, and security guards.
We can’t continue to apply the same budget decisions of the physical world to the digital world. The security risks that exist in the digital world are significantly higher, due to:
- the sheer volume of data that can be found online
- the anonymity within which hackers can operate
- rapid advancements in technology
The rise of artificial intelligence, for example, is enabling highly sophisticated attacks. These anonymous hackers are able to gain access to vast amounts of data without the need for direct human involvement.
What you need to do now
The law is already in effect. As a result, the time for action is overdue. Businesses need to review and consider the information that they collect and keep on online digital platforms, update risk management plans, and reassess the level of security (and budget) dedicated to this business-critical issue.
Unfortunately, you can’t completely eliminate the risk of a data breach (other than returning to the Stone Age!). To start managing and mitigating your business’ online security risk, follow these steps.
First of all, take the time to assess and understand your existing data security risk.
- What data are you collecting?
- Do you have credit card data, customer names, address, personal details, personal information, IP addresses, etc?
- How much data do you collect?
- What are the volumes?
- How would a data breach or your site going offline impact your business?
- Will your reputation suffer? Will you fail to meet legal or regulatory requirements?
- What are the existing security features?
- When was the last upgrade?
- What platform do you use?
- Is the website supported by current security features?
- What level of monitored security is in place?
- Is a process in place to detect a breach? Do you have a process to regularly update security?
- Is the security adequate?
- Does your business manage security internally or use an external data security company? Does your security support plan properly manage the risk?
Preparation is key! Work out the process your business will follow in the event of a data breach.
- Document and Sign-off a Data Breach Risk Management & Response Plan that considers the requirement for:
- Digital and Forensic IT
- Customer Communication Plan
- Reporting to Australian Information Commissioner
Some ways to more effectively manage your data security risks include:
- Reducing the volume of data collected by only collecting the data you really need
- Deleting non-critical data as soon as you no longer need it
- Transferring data from online storages to off-line storage on a regular basis (if you need it put it in a safer place)
4. Maintain and monitor
Once you’ve audited your business’ data security, you need to regularly monitor and maintain your data security systems.
- Regularly upgrade to the latest security updates and features
- Routine risk management review
- Implement alarms to detect potential breaches
- Inspect the systems at regular intervals
5. Upgrade or replace
Finally, depending on the age and quality of your website, you may need to upgrade it to support a higher security profile. In cases where the underlying code is high risk and/or no longer supported by current security features, you may even need to perform a full replacement of your website platform.
In the end, data security is your responsibility
The new law has made it clear. The Australian Government considers data security to be the responsibility of businesses. However, meeting your legal obligations isn’t just legally required; it’s also the ethical thing to do.
The best way to protect your customers and meet your obligations is to make sure you have a robust data security policy in place.
Feeling slightly insecure?
Let’s work out a plan.