With the introduction of the Notifiable Data Breaches scheme in 2018, Data protection has been a key focus for organisations around Australia as data breaches have become an enormous threat to the reputation and capital of Australian Businesses.
Trident has reached out to Stephens Lawyers & Consultants, who has provided advice on how Australian Businesses can minimise the risk of privacy data breaches. Katarina Klaric, principal at Stephens Lawyers & Consultants has also presented examples of how real the consequences of data breaches can be for your organisation.
Privacy compliance and data breach risk management
- The kind of personal information that the organisation collects and holds;
- How the organisation collects and holds
- The purpose for which the organisation collects, holds uses and discloses personal information;
- Whether the personal information is likely to be disclosed to an overseas recipient and where that recipient is located;
- How individuals can access information about them and seek correction or lodge a complaint about a breach.
Data breaches can have
- Business disruption
- Significant costs in responding to a data breach
- Reputational damage
- Loss of valuable intellectual property/confidential information
- Loss of business and revenue
- Reduction in capital/share value of the business
- Substantial costs in regaining consumer confidence that the organisation can be trusted with personal information/data
- Compensation claims by individuals/class actions.
OAIC Data Breach Statistics
Data breach notification statistics published by the Office of the Australian Information Commissioner (OAIC) since January 2018[i], indicate that the majority of data breaches involved human error or cyber incidents involving human factors. These statistics provide useful information for the risk assessment and potential organisational exposure to data breaches.
During the first
During the third quarter July 2018 to September 2018, the OAIC received 245 notifications of data breaches. Once again, the majority of these breaches were caused by malicious or criminal attacks (57%) and human error (37%), with most of the malicious or criminal attacks during the third quarter also being cyber incidents. However, the majority of the cyber incidents during the third quarter were linked to the compromise of credentials through phishing (50%) – a marked increase from the second quarter. The other cyber incidents during the third quarter were compromised or stolen credentials (19%), brute-force attack (compromised credentials) (12%), hacking by other means (8%), malware (8%) and ransomware (3%).
Human error was the second largest source of data breaches during the second quarter (36%) and the third quarter 37%). The major sources of human error were:
- Personal information sent by email or mail to the wrong recipient.
- Unauthorised disclosure (unintended release or publication)
- Loss of paperwork/data store device
- Failure to BCC when sending emails.
- Insecure disposal
During the second quarter, the majority of the data breaches involved one or more of the following ‘personal information’:
- the individual’s contact information (89%) – home address, email address or phone number.
- Financial details (42%)-
bankaccount or credit card details.
- Identity information (39%)- information that is used to confirm a person’s identity such as passport number, drivers licence number or other
- Health Information (25%)
- Tax File Number (TFN) (19%)
- Other Sensitive information (other than health information)(8%)
During the third quarter, the majority of the data breaches involved one or more of the following ‘personal information’:
- the individual’s contact information (85%) – home address, email address or phone number.
- Financial details (45%)-
bankaccount or credit card details.
- Identity information (35%)- information that is used to confirm a person’s identity such as passport number, drivers licence number or other
- Health Information (22%)
- Tax File Number (TFN) (22%)
- Other Sensitive information (other than health information)(7%)
In many cases unauthorised disclosure of confidential information or data occurs because employees do not have an adequate understanding of the type of data/information that is protected under the Privacy Act and other laws for the protection of confidential information/data and the organisation’s obligations under those laws in relation to data protection from unauthorised disclosure, use and loss. Many of the human error data breaches can be avoided by appropriate ongoing staff training in data protection and privacy compliance and handling of information.
Minimising Risk of Data Breaches – Steps to Assist in Data Protection
There is no single solution for the protection of data and compliance with data protection laws. A whole of business approach is required. People are the most important part of the process and solution, followed by technology. Safeguards against unauthorised use, disclosure, theft,
Some steps that Organisations may consider taking to protect confidential information/data:
- Understand what type of data including confidential information and personal and sensitive information is collected and managed by the organisation and who is authorised to access this information. An audit of the organisational data collection and flow may be required. Legal advice may also be required
- Undertake ongoing reviews and assessments of the organisational and technological data flows and risks.
- Have all staff sign non-disclosure/confidentiality agreements and provide appropriate training.
- Implement and update appropriate security measures for the protection of confidential information/data including encryption, password protection, multi-facet authentication and monitoring data flows.
- Have a cybersecurity expert assess and monitor your computer system for potential vulnerabilities to
cyberattacksand implement appropriate measures to deal with risks.
- Implement and update appropriate
technologicalmeasures to deal with possible cyber threats including viruses, ransomware, malware, hacking and other cyberattacks.
- Keep up to date in relation to the latest scams and cyber threats including phishing emails and telephone calls requesting passwords and other personal information and keep management and employees updated. Useful resources for such updates include:
- Stay Smart Online – an online alert service which provides alerts on the latest threats and information on how to reduce the risk of cyber threats
- ACCC Scam watch
- Australian Cyber Security Centre (ACSC)
- Australian Cybercrime Online Reporting Network (Acorn)
- Education and training of management and employees.
Compensation for Privacy Data Breaches under the Privacy Act 1988 (Cth)
Katarina Klaric, Principal at Stephens Lawyers & Consultants predicts that in 2019 we will see a significant increase in the number of class actions commenced in Australia against companies, claiming compensation for data security breaches involving personal and confidential information of individuals.
- Trackback Link
- Post has no trackbacks.