Customers’ personal data is a valuable asset, but keeping it private is paramount. While prevention is always better than a cure, acting quickly and decisively will help contain the fallout from data breaches.
Last month’s data breach by the Australian Red Cross Blood Service, which saw the personal details of 550,000 donors leaked online, has once again focussed attention on cyber security. The Red Cross leak, one of the largest in Australian history, occurred when a file containing donors’ details was accidentally placed on an unsecured part of the organisation’s website.
“High profile cases such as the Red Cross leak show how easy it can be for personal and sensitive information to become public,” says Julian Courtney-Stubbs, Director, Australian Business Lawyers & Advisors.
“All private sector and not-for-profit organisations with an annual turnover of more than $3 million, private health service providers and some small businesses have a responsibility under the Privacy Act to protect personal information collected, with more onerous obligations concerning sensitive information such as race or ethnic origin, political or religious beliefs, trade union membership or sexual orientation.”
As breaches of the Privacy Act can attract a penalty of $360,000 for an individual and $1.8 million for a body corporate, taking steps to avoid a data breach in the first place should be a priority.
To reduce the risks of data being leaked one can take reasonable steps and implement policies concerning:
- governance, culture and training
- internal practices, procedures and systems
- ICT security
- access security
- third party providers (including cloud computing)
- data breaches
- physical security
- destruction and de-identification
“Before you even collect personal information, you need to consider how to protect that information at all stages of the information lifecycle, including how it is destroyed or de-identified when no longer needed,” says Courtney-Stubbs.
Unfortunately, as the Red Cross case indicates, mistakes can happen. When you need to move quickly to contain the breach and initiate a preliminary assessment, evaluate the risks associated with the breach, advise those affected and put measures in place to prevent future breaches.
“The first thing to do is take whatever steps possible to immediately contain the breach,” he adds. “For example, stop the unauthorised practice, recover the records, or shut down the system that was breached. If it is not practical to shut down the system, or if it would result in loss of evidence, then revoke or change computer access privileges or address weaknesses in physical or electronic security.
“Assess whether steps can be taken to mitigate the harm an individual may suffer as a result of a breach.”
It’s also important to move quickly to appoint someone to lead the initial assessment. This person should have sufficient authority to conduct an initial investigation, gather any necessary information and make initial recommendations. A more detailed evaluation may be required at a later stage.
“You’ll also need to determine who needs to be made aware of the breach, both internally and potentially externally,” Courtney-Stubbs says. “In some cases it may be appropriate to notify the affected individuals immediately; for example, where there is a high level of risk of serious harm to affected individuals. If the breach appears to involve theft or other criminal activity, it will generally be appropriate to notify the police. If the data breach is likely to involve a real risk of serious harm to individuals, or receive a high level of media attention other steps may be appropriate, including informing the Office of the Australian Information Commissioner.”