Computer hacking and data breaches have become increasingly common, a significant headache for business owners and leaders.
Data breaches will continue to be prevalent as long as technology remains integral to our everyday life. It is not a matter of if a data breach will affect you, but instead when.
Recognising the need to protect data and privacy, the Privacy Act 1988 regulates how entities must deal with personal information and what to do in the case of an eligible data breach.
Does my business have to comply with the Act?
A person or entity has to meet the Act’s privacy obligations if they:
- Have an annual turnover of more than $3 million (or have had an annual turnover of more than $3 million in the past); or
- Provide a health service and hold health information except in an employee record; or
- Disclose personal information about another person for a benefit, service or advantage; or
- Are a contracted service provider for a Commonwealth contract (whether or not a party to the contract); or
- Are a credit reporting body.
If you are any of the above, you need to comply with the Australian Privacy Principles.
To do this, you’ll need to know the following:
- what is a data breach?
- what can you do to minimise any disruption to your business when a data breach occurs?
What is a data breach?
There are many different types of eligible data breaches, though they all consist of three elements:
- unauthorised access to, disclosure of, or loss of, personal information held by the entity
- the access, disclosure or loss is likely to result in serious harm to one or more individuals
- the entity is not able to prevent the likely risk of serious harm with remedial action.
If a data breach features all of the above elements, it needs to be referred to the Office of the Australian Information Commissioner (OAIC). The OAIC may investigate the breach and the business or entity could face serious financial penalties or directions to rectify the issue.
The OAIC’s June-December 2020 Notifiable Data Breaches Report confirmed that about 40 per cent of all reported data breaches in Australia are due to human error e.g. sending an email to the wrong person; leaving confidential documents open on shared computers.
The rest were almost all related to malicious or criminal attacks, the most common of which were:
Most people have received an email claiming their account is compromised and needs emergency action; or that their online purchase requires them to verify their payment details. These are Phishing attacks, designed to get you to provide passwords or other confidential details (e.g. your account number) to third parties.
Use of compromised or stolen credentials
In early 2019 a collection of usernames and passwords dubbed Collection #1 through to Collection #5 circulated on the dark web. These collections combined contained over 25 billion email/password pairs. This was not the first collection of email/password pairs to be released, nor will it be the last. Individuals are unable to protect themselves if they are not aware that their information has been breached.
Social engineering does not always require technical expertise and involves using different communication methods and coercion to acquire information from users. Phishing falls under the broad umbrella term social engineering and includes phone calls pretending to be from a bank or pop-up ads saying your computer is infected with a virus.
The popularity of ransomware has increased exponentially over the last few years, rising by 150 per cent in the first six months of 2020. Ransomware is often transmitted through an attachment or link in a spam email, which when clicked encrypts the device and requests payment to unlock it. Certain strains of ransomware may also take the victim’s data.
How to minimise disruption to your business when a data breach occurs
A data breach response plan is where you can outline your strategy for dealing with a breach that can be relied upon when a breach occurs.
Having an effective system in place to detect, minimise and respond to any type of data breach secures your obligations under the Privacy Act and puts you in the best position to avoid needing to report a data breach.
An effective response plan should include:
- best practises for minimising a data breach
- implementation of cybersecurity measures in your business
- a step-by-step guide on how to respond to a data breach
- how to review a data breach once it has been resolved