We’ve seen great engagement from our recent ‘Defend the Data Breach’ events in Orange and Bathurst and an excellent uptake of our previously published Data Breach Response Plan templates. This post expands a little on the new laws, and how they might affect you and your business, as well as what you can do to help protect yourself.
Before getting into the Notifiable Data Breach Reporting (NDBR), we’d would like to remind you that the main reason for this law – it is not to “name and shame businesses”, but rather to protect individuals’ information.
It is far easier and safer to do this before we get to the data breach stage by taking multiple, simple steps to prevent the breach from happening. Eight ways to do this, regardless of your organizations industry or size, are as follows:
1. Ensure all staff members and contractors have unique, strong usernames and passwords and that no one else knows them i.e. no more “Password1” type passwords. We have seen more hacking attempts on shared accounts in the past 24 months than any other hacking attempt. Accounts, Sales, Warehouse, Accountant and Admin are all common account names that often have shared passwords that are easy to guess / hack.
2. Have a PC auto lock policy, so that unattended PCs are not sitting with open access to personal information. Build an organization-wide culture of “if you leave your PC lock it!”.
3. Use PC, laptop and phone encryption – this prevents lost or forgotten devices from being a data breach. If a device is encrypted, no-one can access data without the decryption key which prevents the any chance of a data breach.
4. Don’t email personally identifiable information without it being encrypted. Free tools such as 7zip can be used to easily encrypt attachments before sending them. Colton Computer Technologies also have a wide range of tools to help enforce this.
5. Train Staff to identify phishing emails (spam) – phishing emails are responsible for 57% of all data breaches. Through using a combination of email protection (spam filtering) and staff training tools we can effectively cut the chance of a data breach by 50%.
6. Keep your PCs and devices up to date. Patching or updating is an essential step in protecting your organization from malicious software attacks. Last year, the two biggest ransomware attacks used exploits that had been patched by Microsoft (fixed) 3 and 6 months before the attack. If more organizations had maintained their PCs in an “up-to-date” state, these attacks would have been much less successful.
7. Antivirus and anti-exploit software. These products are an essential part of protecting your organization. Through antivirus and anti-exploit software (targeting the vulnerability in the system not looking for the virus) and the last line of defence, Cryptoguard software (which looks for processes encypting files and stops the process before your files are “stolen”) are an important part of the information security mix.
8. Have a data breach response plan (see below) and make sure its up-to-date.
We did say eight steps to prevent data breaches, however, a ninth step to minimise the fallout of a data breach (along with your plan above) is to have a Cyber Insurance policy, or have this as part of your overall business insurance policy.
Below are links to resources from the Office of the Australian Information Commissioner (OAIC) and our “quick and dirty” guide to making sure your business is protecting its revenue and reputation while staying compliant with Regulations.
As of the 22 February, 2018, mandatory notification of eligible data-breaches-scheme came into effect. If an entity covered by the scheme has an eligible data breach then they must notify the OAIC and in some situations, the person(s) whose data was breached.
There are three criteria that have to be met for a data breach to be eligible (seems strange to have to qualify to report a bad thing to the government?)
1. There is unauthorised access or disclosure of personal information, or loss of, or access to, that information. (hacking, ransomware, unintentional disclosure etc).
2. The event is likely to result in serious harm to one or more individuals (potential identify theft, fraud etc).
3. The entity has not been able to prevent the likely risk of serious harm with remedial action.
Please read the examples at the bottom of the link above as they best demonstrate how these laws apply and how they should be interpreted.
Reporting a Eligible Breach
At this point it is worth noting that your responsibility under the legislation is to inform the person(s) who have had their data breached, that it has happened and what they can do to minimise or mitigate their risk. Public notification (through website publication) has to occur is when the entity cannot clearly define whose data was included in the breach.