New data breach laws come into effect
Business owners will be required to protect and notify individuals whose personal information is involved in a data breach as new legislation comes into effect.
New data breach rules in effect from 22 February 2018 place an onus on business to protect and notify individuals whose personal information is involved in a data breach that is likely to result in serious harm.
The move follows a substantial breach in October 2017 when almost 50,000 employee records from Australian Government agencies, banks, and a utility were exposed (and compromised) due to a misconfigured cloud-based Amazon S3 'bucket'. The breach was reportedly discovered by a Polish researcher who conducted a search for Amazon S3 buckets set to 'open' based on specific criteria in the domain name.
It's just one of many breaches to occur each year, with IT contractors often blamed as the culprit for failing to secure data, leaving unintentional gaps in security, or failing to apply critical patches for software. In October 2016 more than half a million Red Cross blood donors were inadvertently exposed because of an insecure back-up and in the US, a massive breach exposed the credit card and social security records of more than 145 million Americans.
While most businesses work to ensure their systems are secure, data breaches are a reality either because of human error, mischief, or simply because those looking for opportunities to disrupt are often a step ahead. It's not just about the IT, however. There have been numerous cases of hard copy records being disposed inappropriately, employees exposing servers to viruses after opening phishing emails, and sensitive data being lost on portable disk drives
So what is the Government doing and how does it impact your business?
The Notifiable Data Breach (NDB) Scheme affects organisations covered by the Privacy Act, which includes organisations with an annual turnover of $3 million or more. However, if your business is 'related to' another business covered by the Act, deals with health records (including gyms, childcare centres, natural health providers and similar businesses) or is a credit provider, then your business is also likely to be affected. Special responsibilities also exist for the handling of tax file numbers, credit information, and information that is contained on the Personal Property Securities Register.
The important thing to understand is that compliance with the new laws means more than simply notifying your customers when something goes wrong: The organisation is required to take all reasonable steps to prevent a breach occurring in the first place, to put systems and procedures in place to identify and assess a breach and issue notifications if it is likely to cause 'serious harm'.
The Privacy Act already requires organisations to take all reasonable steps to protect personal information. The new data breach laws merely add an additional layer to assess breaches and notify where the breach poses a threat.
For example, if you have not already, you should assess issues such as:
- How does personal information flow into and out of your business?
- What information do you gather (including IP data from websites)?
- Do you provide information to others (e.g. client information to third parties)?
Systems, security and access
- Where is personal or private information stored? Ideally, map out which systems you use, where these systems store data (locally, cloud, in Australia, or in a foreign country)?
- What level of security is provided within those systems and how much access does your team have vs what they should have for their role?
- How private information is handled by your business across its lifecycle and who has access at each stage (not just who is accessing the information for their work but who 'could' access this information)?
- What are the possible impacts on an individuals' privacy in the event of a breach?
- What policies and procedures are in place to manage private information, including risk management and mitigation, whether these are adhered to, and actively managed
- The policy review process - review policies and procedures at least annually but again with the introduction of new systems and technology. Remember, you can't just have a policy sitting somewhere, it needs to be actively reinforced and adopted by team members
- Instate new project protocols for ensuring privacy where personal information is at risk
- Document everything including your reviews and procedural updates even if nothing changed. If there is ever an issue where your business's culpability is assessed, your capacity to prove that you took all reasonable steps will be important.
Business owners often underestimate the risk of data breaches, particularly in implementing best practice cybersecurity when they move into cloud services or share data online. In the everyday admin of running a business, these are some of the things that are likely to cause issues for security:
- Password breaches or weak passwords that enable a hacker or phishing exploit to access the records of the business's staff including bank account details.
- Not keeping supplier bank details up to date, so that when a supplier gets paid, the money doesn't go where it's supposed to.
- Reproducing staff payment summaries and lodging tax returns, but neglecting to check if the bank details for their accounts are up to date for refunds to be paid
- Inadequate protection of client information, such as credit cards, personal address information, and other sensitive data
Running a business in a digital world means that maintaining adequate security is a constant challenge. Having a good IT team on board to ensure your systems are protected or can respond in the event of a breach is essential, as is having:
- Measures to prompt regular resets of passwords
- Activating two-step authentication where possible
- Having proper admin control of systems when staff join or leave the organisation, and
- Ensuring that your business insurances protect it against cybercrime.
When it comes to data breaches, all organisations must have a data breach response plan. The data breach plan covers the:
- Actions to be taken if a breach is suspected, discovered or reported by a staff member, including when it is to be escalated to the response team
- Members of your data breach response team (response team), and
- Actions the response team is expected to take.
The Office of the Australian Information Commissioner provides a sample breach response plan as a good starting point, however your team must understand their responsibilities in the event that private data is exposed.
So, what is a serious breach? A breach has occurred when there is unauthorised access to or disclosure of personal information or a loss of personal information that your business holds.
Whether a breach is serious is subjective but may include serious physical, psychological, emotional, financial, or reputational harm. If a breach occurs, you need to think through how that information could be used for identity theft, financial loss, threats to physical safety (for example someone's home address), job loss, humiliation or reputational damage, or workplace bullying or marginalisation.
If you suspect a breach has occurred, your business is obliged to take "reasonable" and "expeditious" action regardless of whether you think it is serious or not (under the NDB scheme you have a maximum of 30 days to assess the damage and respond but in general, the first 24 hours is often crucial to the success of your response)
Ignorance is not a defence. A lack of systems to identify system breaches fails the Privacy Act's requirement to take all reasonable steps to protect personal information. As soon as a breach is identified anywhere in the business, whether it is IT based or physical, steps need to be taken - even if it is simply noting that no further action is required.
If you suspect a data breach has occurred that may meet the threshold of 'likely to result in serious harm', you must conduct an assessment. Sounds simple right?
The problem for business is often that there are initially no definitive answers about the extent of a breach or its seriousness for the assessment to take place.
Take the example of a retail business with an online store. A hacker exploiting an unpatched vulnerability in your customer relationship management (CRM) system gains access to the customer database for your online store, which includes customer purchase histories and contact details. IT calls you and tells you there is a problem but can't tell you how, which customer records are affected, and if the records have been compromised. You don't want to scare your customers by advising of a breach but you don't the impact yet. So what do you do
The first step is generally to contain the damage. Isolate or shut down the affected system to prevent further potential loss - then assess the scenario quickly – not just because of the NDB scheme but because your business's reputation is on the line.
If a breach is assessed to potentially result in serious harm, you are obliged to advise affected individuals and the Australian Information Commissioner. You have the option to:
- Notify all individuals whose personal information is involved in the eligible data breach
- Notify only the individuals who are at likely risk of serious harm; or
- Publish your notification and publicise it with the aim of bringing it to the attention of all individuals at likely risk of serious harm.
You advise the Australian Information Commissioner of a serious potential breach using the Notifiable Data Breach statement - Form.
Data breaches are common, and many countries have moved to ensure that the personal information of individuals is protected. If your business operates overseas or has customers overseas you need to be aware of the requirements in those countries.
Most US states have compulsory data breach requirements. The European Union's General Data Protection Regulation (GDPR) comes into effect from 25 May 2018. If you operate through a local distributor in the European Union or have direct supply into those countries, then it's likely your business will be caught by the Regulation.
For more information, visit the Office of the Australian Information Commissioner.
This article is provided for information purposes only and correct at the time of publication. It should not be used in place of advice from your accountant. Please contact us on 02 9957 4033 to discuss your specific circumstances.