The Optus and Medibank data breaches are top of mind for a lot of Australians, particularly those who have had their data compromised.
For business, these breaches are a timely warning on the importance of understanding your obligations. This is not something that can be outsourced to IT but a whole of business issue.
If a customer needs to disclose their personal information to your business to work with you, at the point the data is collected, your business is the custodian of that data. A duty of care exists from the moment the data is collected to the point the information is no longer required and destroyed.
It is imperative business owners understand
- What data is held on your customers (and do you need to hold it?)
- How it is secured
- How your systems work and the process to identify gaps and deficiencies
- The appropriate actions you must take if a breach occurs
Data breach – interesting statistics for business
A data breach happens when personal information is accessed or disclosed without authorisation or is lost.
You may be surprised to know:
- Malicious or criminal attacks represent 55% of all reported data breaches
- Human error is responsible for 41%, and
- 4% through system faults
Where human error was involved:
- 43% – personal information was emailed to the wrong recipient
- 21% – unintended release or publication of personal information occurred
The obligations on business if a data breach occurs
A business must take all reasonable steps to comply with its obligations to prevent data breaches occurring. These obligations are not limited to preventing cyber-attacks.
The Privacy Act requires organisations to take “reasonable steps” to protect the data collected. ‘Reasonable’ steps require the existence of facts which are sufficient to [persuade] a reasonable person. That is, in the event of a data breach, the business will need to prove the steps they have taken to protect client data.
If the Privacy Act 1988 covers your business, you must notify affected individuals and the Office of the Australian Information Commissioner when a data breach involving personal information is likely to result in serious harm. The notification must be as soon as practicable but is expected to be no later than 30 days.
Being hyper-vigilant is key to protect your business against data breaches
Payment redirection scams, where the email of the business is compromised, caused the highest reported level of loss for business in 2021 at a combined $227 million.
Payment redirection scams involve scammers impersonating a business or its employees via email and requesting an upcoming payment be redirected to a fraudulent account. In some cases, scammers hack into a legitimate email account and pose as the business, intercepting legitimate invoices and amending the bank details before releasing emails to the unsuspecting business. Other times, scammers impersonate people using a registered email address that is very similar to one from a legitimate business.
10 practical steps to protect your business against data breaches
- Educate your team about threats and what to look out for, the importance of passwords and password security, and how to manage customer information. Phishing attacks, if successful, provide direct access into your systems.
- Ensure staff only have access to the business systems and information they need. Assess what is required and close out access to anything not required. Also assess how customer personal information is accessed and communicated. Personal information should not be emailed. Email is not secure, and it is too easy for staff to inadvertently send data to the wrong person.
- No shared login details or passwords.
- Complete a risk assessment of your systems and add cybersecurity to your risk management framework.
- Develop and implement cyber security policies and protocols. Have policies and procedures in place for who is responsible for cybersecurity, the expectations of staff, and what to do in the event of a breach. Your policies should prevent shadow IT systems, where employees download unauthorised software.
- Understand your organisation’s legal obligations. For example, beyond the Privacy Act some businesses considered critical infrastructure such as some freight and food supply operations are subject to the Security of Critical Infrastructure Act 2018. This might involve small businesses in the supply chain.
- Use multifactor authentication on your systems and third-party systems.
- Update software and devices regularly for patches.
- Back-up data and have backup protocols in place. If hackers use ransomware to lock your systems, you can revert to your backup.
- If customer data is being shared with related or third parties domiciled overseas, ensure your customer is aware of where their data is domiciled, and your business has taken all reasonable steps.
The key take aways?
Remaining hyper-vigilant, having secure systems, and educating your team members is key to protecting your business and your customer, client, or patients’ data.