Humanity and real-world connections have become more valued in the last year. Human behaviour has had to change, not only when it comes to hugs and handshakes. With working from home, the lines between work and home have become blurred. This has been highlighted in the latest OAIC data breach report with human error accounting for 38% of all breaches. That’s an increase of nearly 20% from the previous 6 month period.
We can make some assumptions as to why that’s happened. Emotional stress levels of lockdowns, homeschooling, and adapting to a new working environment are all considerations. The way organisations communicate changed, meaning more of a reliance on email to share information that may have been previously shared during an in-person meeting. Working from home, for many, also has more distractions than the formality of the corporate office. The OAIC specifically called out the need to undertake privacy impact assessments:
In early 2020, businesses across Australia introduced remote working arrangements in response to the COVID-19 pandemic. The OAIC has highlighted the privacy risks arising from these arrangements, recommending that entities consider undertaking privacy impact assessments to screen for unexpected privacy issues and to help mitigate any privacy risks associated with remote working arrangements.
The health sector remains the highest reporting industry contributing almost a quarter of all breach reports. Another callout from the OAIC is the timeliness of assessment and reporting relating to breach notifications:
However, increasingly the OAIC is seeing instances of organisations taking much longer than 30 days to complete their assessments, with further significant delays before they notify affected individuals. Additional time taken to assess a breach must be reasonable and justified in the circumstances, with notification to individuals to occur as soon as practicable.
As part of the regulations relating to data breaches, it’s an organisations responsibility to notify any individuals of any data breach, including recommendations as to what they should do in response to the breach. In the case of the Marriott data breach in 2020, nearly 5.2M guest records including credit card details were compromised. When that data is out in the wild and on the black market for sale, even 30days is a long time for someone not to know.
Over the next few months we’re introducing our business continuity series, and we’ll cover how you can mitigate risks, build resliciency and plan for the unexpected. Whilst continuing to protect your reputation at the same time.
In the mean-time, because we’re all human, start by revisiting your strategies for cyber-security. Define to your staff what types of sensitive communications can be sent via email, and also what types of communications they can expect to receive. Look at your data sharing policies, how and where should staff be sharing information. Many businesses in the haste to move to remote working haven’t had the time to think about how interactions and communications have changed. Now is a perfect time, because when you speak with your team, you’ll know what’s achievable and what’s not in this new world. We’ve all been living in it for the last year.
The full report and summary can be found here:
