Data breaches have been in the news a lot lately, with large-profile breaches hitting Optus and Medibank of particular concern to many Australian consumers.
But are they just a concern for really big enterprises on the scale of an Optus or a Medibank?
The simple answer is no.
The value of the data in those breaches was large because of their scale, but they could have occurred to any business that has to collect data. If you have customer addresses (email or real world) or banking details on file, you’re collecting data – and that means nearly every business will have a risk of some sort.
The reality is that personal data has value, and if you need to collect that data for any reason, you need to be aware of the potential for a data breach from your business, and what you should do if the worst happens.
What is a data breach?
In the online context, a data breach occurs when any data that’s meant to be inherently private, and especially data that can be used to identify individuals is accessed by anyone who doesn’t have the right to access or distribute that information. That could include your business financial records, customer databases, or any other information that could be used for identity theft, blackmail or other illegal purposes.
How do data breaches happen?
Typically they’re the result of a weak link in your business security. That could be the use of unpatched or insecure software that connects online in some way, or social engineering tricking you or your employees into giving access to cyber criminals.
These attacks can come in a variety of forms, from fake emails informing employees that their email or financial access is about to be withdrawn unless they log in, leading to fake websites that grab their login information, or software that probes at the security layers around your business to try to exploit known or emerging software weaknesses.
What are my obligations if a data breach happens?
There’s a line here between your legal obligations, and what you really ought to do.
I should preface this by saying that I’m not a lawyer and this does not constitute legal advice; the issues here are complex and if you’re concerned it’s well worth seeking out the advice of a legal professional for your particular circumstances.
In broad terms, however, under the current Australian Privacy Act, which dates from 1988, if your business turnover is under $3 million per year, in many cases you’re classed as a small business, and your obligations are a little different to larger businesses.
If your turnover does exceed $3 million however and a breach occurs, you need to work within the notifiable data breaches scheme to inform both individuals involved and the OAIC (Office of the Australian Information Commissioner) about the breach.
Those obligations also currently apply to specific business sectors; if your business is in private sector health care, specific financial services (especially providing credit), if you work as a contractor for the Australian government or if you have some form of residential tenancy database, you’re also covered by the current version of the privacy act.
If you’re unsure, the OAIC has a small business checklist here that can run you through whether your business may be currently obliged under the Privacy Act.
However, it’s worth noting that at the time of writing this article there are large scale proposed reforms to the privacy act being mooted that could see all businesses, no matter their scale become covered by the privacy act. The logical endpoint of those changes is that it’s highly likely even small businesses will become obliged to report data breaches.
As it stands, the OAIC can still investigate customer complaints about privacy breaches from small businesses; it’s just that the adherence to all parts of the privacy act may not apply to a smaller business.
Frankly, while a data breach isn’t something that you actively invite, it’s a good preventative measure to have a data breach plan in place, as well as to generally notify affected individuals so they can prepare and protect themselves in the most suitable manner.
What should I do if my business is hit by a data breach?
The key thing to do is not delay, because acting promptly can save significant difficulty down the track.
- If a data breach has occurred, the first thing you should do is try to get a scope for what data has been stolen. This allows you to plan for your next steps, and get as complete a picture as possible as to the implications of the breach. It’s a different matter, for example, if somebody’s email address leaks than if a scan of their driver’s licence does, for example, even though neither are desirable. Document everything that you do and everything you discover.
- Next up, as quickly as possible, plug the data leak, whether that’s a matter of upgrading systems, changing system passwords, educating staff about phishing or replacing hardware that has unfixable or un-patchable security holes. While the original cybercriminals may have grabbed some data, there’s no telling whether others may come sniffing, so locking the digital front door of your business down tight may prevent future headaches. Not sure how to plug the leak? Don’t hesitate and call Geeks2U who can send an expert technician to help fix any security issues hackers are abusing.
- Then comes the issue of notifying the OAIC and individuals as required, as well as a more forensic investigation of what’s happened and why. This becomes more complex if your business operates outside Australian jurisdictions, as other privacy obligations may come into play.
Liability around breaches varies – and is somewhat outside the scope of this article – but the costs can be considerable. Being able to show that while a breach has occurred that you followed best practice to either lock down data or rapidly inform affected individuals may lead to more positive outcomes than if you do little or nothing around a data breach.
If you’ve not been subject to a data breach, you have time right now to consider these steps and whether there are weak links in your network security, business practices or data-keeping ways and come up with a data breach plan to cover how you’d react if the worst happens.
