Nothing makes your stomach drop out quite as fast as receiving data breach notifications that tell you your private information might be at risk due to a recent hack. That’s the kind of intense dread almost 50,000 Australian workers and 5,000 federal public servants felt when the country’s largest data breach occurred in late 2017.
Caused by a private contractor, the incident didn’t jeopardise national security, classified material, or even sensitive government data. Instead, it contained thousands of staff records from a variety of businesses—we’re talking major damage caused by exposing employee email addresses, passwords, and IDs.
Australia’s Privacy Act 1988 (Cth) will be subject to a number of timely amendments regarding data breaches from February 22, 2018. As part of those amendments, data breaches will in many cases need to be reported to the Office of the Australian Information Commissioner (OAIC), as well as to any affected individuals. Organisations that collect credit information, personal information or Tax File Number information may be forced to issue data breach notifications if the security of that information is compromised.
Define “serious harm”
That said, there’s some ambiguity here, as amends to the Privacy Act don’t provide a clear definition of what should be considered as serious harm from breaches. Organisations are required to determine this themselves by considering a long list of factors, including what’s been compromised, sensitivity of the breach, who’s obtained (or could obtain) the information, and the potential fallout or damage the breach may cause. For example, “serious harm” could be compromised credit card details and unauthorised access to health records.
Figures from the Ponemon Institute’s 2017 study on the Cost of Data Breaches in Australia show that the average cost incurred by an organisation for a data breach exceeds $2.5 million. What’s worse is it takes an average of 66 days to contain a data breach, with costs escalating proportionately to the days needed to resolve the issue. Some data breaches can attract a lot of media attention when announced to the public, and the costs can include losses caused by the damage to their reputation.
Create your essential data breach response
You’re in control of how your business can respond effectively to any potential breaches. As outlined by the OAIC, IT decision-makers should consider including the following steps as part of their data breach response plan:
1. Shut down operations and check systems
Once a breach happens, responding in the first 24 hours is imperative to implement effective damage control. This is the best time to stop any unauthorised practices, recover records or data, and shut down the compromised system. If a system closure is impractical and an alternative is required, cancel or change computer accessibility and combat vulnerabilities across all security procedures.
That said, you want to contain the chaos among your IT team by establishing a response team and identifying what tasks each employee on that response team should tackle. If you don’t have enough employees to fill a response team, designate and prioritise what steps need to be taken in the event of a breach ahead of time, so you have some plan of action in place beforehand.
2. Assess all risks
The response team will need to assess the risks associated with the breach. This will involve finding out what was compromised, the context of the breach, the origins of breached information, reasons why the violation occurred, and the magnitude of damage caused.
3. Issue data breach notifications
Your organisation may be required to submit a detailed statement of the breach to the Office of the Australian Information Commissioner, and inform any individuals who have been impacted as soon as practicable. Such notification needs to outline certain matters including:
What information was compromised
How this occurred
Advice for impacted parties about what actions need to be taken
Your organisation’s contact details
4. Future-proof against data breaches
As part of best practices within an organisation, the IT team must update security policies to accommodate future detection and reporting of any noncompliance—this task is critical to complete, whether it falls to the CIO or an IT manager. While data breaches are becoming increasingly severe and complex (or, at least, more public), both IT and business decision-makers need to be even more aware of their network security.
This includes improving security in less conspicuous areas, such as printer networks. Unsecured endpoints serve as easy access for malicious cybercriminals, so invest that IT budget in self-healing printers and other devices that detect threats before and as they’re happening, protect your network in real time, and offer continuous monitoring.
Between the data breach assets and guidelines from the OAIC and some solid investments in protecting your network and endpoints, your team should feel more confident about defending against hackers—and recovering should a breach occur. Make sure your business is off to a good start with a print security assessment, and start crafting your response plan.
**The information contained in this webpage is general in nature. It is not intended to be comprehensive or to constitute legal advice. You should not rely on this information without first obtaining legal advice based on your specific circumstances.