As if the threat of a data breach isn’t bad enough, Australian business owners now need to be aware of enhanced legislation around notifications in the event of a data breach.
Data breaches are a serious threat to businesses throughout the world, but Australia has lagged behind states in the U.S. and other parts of the world when it comes to data breach notification laws. However, that time is coming to an end, as the Australian Senate passed February’s Privacy Amendment Bill. This Notifiable Data Breaches Bill will go into effect 22 February 2018 and has the potential to dramatically change what a business is required to do in the event of a data breach. This bill has been quite a while in the making, as several false starts in 2013 and 2014 ultimately ended without bringing an updated legislation to fruition. See the impact on your organisation and how you can prepare for this new regulation before it takes full effect.
Damages from a Data Breach
The damages caused by a significant data breach can be far-ranging: both for the organization that suffered the breach as well as for the individuals whose personal data was impacted. Cybercriminals are always looking for new and creative ways to make money by leveraging the PII, or Personally Identifiable Information, of individuals. However, the largest damage done is often to the business from which the data was stolen, as the business can be impacted by negative press, massive drops in consumer confidence and additional remediation costs such as attorney fees and notification fees. These serious damages include public scrutiny, especially from vendor partners or investors, as well as the need to spend considerable time, effort and energy reviewing current security procedures and looking for changes that can be made that will add to the overall security of the business in the future. On top of all of the upheaval, it’s not unusual for a business who suffered a data breach to lose up to 20 percent of their overall client base in the near term as a byproduct of reduced consumer confidence.
Barriers to Security
Chief Security Officers are quick to note that there are significant challenges associated with maintaining adequate security postures. Increasingly complex systems with a great deal of interoperability can cause integration teams to take shortcuts with security, such as not applying patches quickly due to the concern about potential system outages. Another oft-cited difficulty is keeping the number of security protocols under control. More is not always better, especially when it comes to the number of security products in play. When there are a dozen or more unique platforms, you’re leaving significant room within the infrastructure for gaps and mistakes. The speed that business leaders require may allow systems to be launched without adequate hardening, or abandoned without being fully depreciated and disconnected from all other systems.
Malware and Ransomware
With the extensive complexities in systems that are all targeted towards preventing cyber attacks, hackers are going back to the classic attacks that have worked for years, such as malware and spammy email links. These simple yet highly-effective attacks are dependent upon convincing a well-meaning employee to click a link, open a file or take another action that provides either damage to the account or access to the network for hackers. There is not always a need for cybercriminals to craft a sophisticated attack when a basic click-ad that launches malware will do the job of getting them into the system just fine! Security protocols on the technology side can be supplemented by extensive training on the business side of the house, as knowledge and awareness are shown to be the most effective ways of combating these types of attacks.
What Constitutes a Data Breach
The updated legislation defines a data breach as a situation where:
- Unauthorized access to the personal information of one or more individuals has been obtained by cybercriminals
- There is a strong likelihood that the information obtained can be used in a detrimental way
- Individuals who are affected by the breached information are likely to incur serious physical, psychological, financial or other harm as a result of the disclosure
Information that is considered personal includes such items as tax file numbers, personal health data, and credit information.
Actions to Take in the Event of a Breach
Should your organization be the target of a data breach, there are actions that you should be prepared to take immediately, such as the new compulsory regulatory notification. The Office of the Australian Information Commissioner (OAIC) requires that notification is made “as soon as practicable after the entity is aware that there are reasonable grounds to believe that there has been an eligible data breach” — an important change from previous notification requirements. Previously, organizations were encouraged, but not required, to take this step, but failed to notify the proper authorities now carries a stiff penalty. This is particularly onerous as the legislation requires that notification is completed if even a single record is compromised. With fines starting at $360,000 for individuals and $1.8 million for organizations, this isn’t a requirement that can be taken lightly.
The cost of data breaches and the high potential for loss, it’s more important than ever that businesses look for ways to enhance cybersecurity. Want to learn more about how your organisation can improve security measures?
Want to learn more about how your organisation can improve security measures?
Contact us and speak to a security professional today and determine if there are remediation measures that you can take immediately to support your current security posture.