I’ve just taken a close look at how we collect, store, access and use the private information of our customers, employees and suppliers. We review regularly, to make sure we are prepared to quickly assess the seriousness of any data breach and take immediate remedial action to minimise any impact to clients or individuals, as well as to our reputation.
This year we have the added incentive of the Notifiable Data Breaches (NDB) scheme (effective on 22 February 2018) which establishes mandatory data breach notification in Australia. Businesses like ours, with over $3M turnover, will have to report data breaches and notify individuals at risk of serious harm. (The NDB also applies any business, irrespective of turnover, that provides a health service or holds health information. Read: Cloud Security and Compliance for Health Start-ups)
The objective of the NDB scheme is to hold Australian businesses and government agencies to a high standard of personal information security. Cyber security solution vendors are warning of hackers and cyber-attackers while flogging their data protection products and services. Yes, data breaches at Uber, Target, eBay, Yahoo, Deloitte, Adobe, Equifax and others were reported as hacks, but data can also be compromised through loss, theft or unauthorised disclosure. Heathrow Airport’s 2017 data breach saw a USB of confidential files found on a city street. In 2018 the Australian Government’s confidential files came with a locked filing cabinet bought in a second hand store.
Even navigation glitches can result in data leakage, as Australia’s Department of Health found out years ago. Two navigation issues temporarily allowed users to have access to other users’ health records and notes without authorisation. They were quickly fixed, but breaches don’t need to last for long to have a huge impact on people, relationships and reputation.
With mandatory reporting and notification, your reputation could take a bigger hit, despite your best efforts.
The commissioner will expect you to take reasonable steps to inform impacted individuals. If you don’t have up-to-date contact details for those effected, you will be expected to go public to bring the data breach to the attention of individuals at risk of serious harm. This means broadcasting details of the breach prominently on your website (for at least 6 months), through your social media channels, as well as via online/print advertising and instore signs.
That’s not the sort of publicity I would want for my business.
Encouraging security and process improvements is essential. However, in today’s world of online markets, collaboration and digital economies, data must be accessible. Striking the right balance is a challenge.
Making data more accessible increases the risks … and hacking, theft and human error are not going to magically stop. But we need to consider the way we approach this problem.
In the early days of motor vehicle design, one pulled a lever against the wheel as a brake. Brakes have progressed and can now stop heavy vehicles travelling at high speeds, quickly and without skidding. Brake design improved because we wanted to go faster, not because we wanted to be safer. Car companies deliver faster and faster vehicles, and as a result we need the protection of better brakes to stop quickly and safely.
It should be similar with data. Protection improvements should be driven by the desire for better accessibility, not by the fear of contravention.
We’ve long recognised that some type of security overlay is essential to protect personal data. We’ve kept up with the latest cyber security software, classified our data against its degree of sensitivity, and established rules around access and use. Our maxim: block what you can’t monitor, enable access to data you can monitor.
However, no system or set of rules is foolproof against human failings. People will lose devices. They will mistakenly share information with the wrong person. They will respond to phishing emails. If your monitoring system is working, you will be able to catch out any misuse early, and fix it quickly. We see education as an important component of data protection and, following my system review, we’ll run training to remind staff of their responsibilities and commitments to privacy.
The NDB legislation creates a framework to ensure we know when our details have been hacked or stolen so that measures can be taken, preventing delays and cover ups. In the longer term it will incentivise organisations to look at how they manage, monitor, access and protect data to the benefit of all.
This scheme will be established under Part IIIC of the Privacy Act 1988 (Privacy Act) and will be administered by the Office of the Australian Information Commissioner (OAIC). Details, forms and process information can be found here.
David Robinson is Consulting Director at Envisian.