This article is for you if your business holds sensitive data about customers or clients.
On February 22nd 2018 Australia is implementing mandatory data breach notification laws.
How does this impact you as a business owner? If sensitive data held by your business is breached or goes missing it will become mandatory for you to report the incident to the Privacy Commissioner as well as to notify your entire customer database. This specifically relates to any business who has an annual turnover of $3 million or more as well as any business governed by the Privacy Act (councils, government organisations, schools, private healthcare practices, gyms etc).
Let’s take a second to consider that. How would your reputation lie if you had to notify your customers that some or all of your data had been accessed by a third party source and you have no idea what they’re doing with the information? Can you imagine the potential damage that could have on your reputation as well as your bottom line?
Fines for a breach (or failure to notify relevant parties about a breach) can total $360,000 for individuals and $1.8 million for organisations.
The fines are considerable and are deemed appropriate by the Privacy Commissioner based on the potential damages that a breach of data protection could cause. They also focus on fining both individuals and organisations – which places further emphasis on the importance of staff training and air-tight data security plans for your business.
Preventing ‘serious harm’ with remedial action is a term used by the Commissioner to explain the required steps to help protect your business’ reputation.
Remedial action, in this instance, refers to a solid plan to help protect your clients from suffering ‘serious harm’ if their details were to be breached. Examples of this may be a policy where if a company device is stolen or goes missing there are steps in place to have the device remotely ‘wiped’. Similarly, it may be a method of instant recovery if a sensitive file was sent to the wrong recipient, which could be as simple as an email template which is sent to the incorrect recipient with instructions on how to delete the sensitive file.
Without attempting to scare you, this change in legislation will begin to affect businesses in Australia almost immediately. With this change in legislation we also expect to see an increase in malicious activity by hackers who are looking to exploit businesses to see them take a hit. Take particular note if your business has any political, governmental or financial responsibilities or information.
To say that your business will ever be 100% bulletproof is not possible. The best methods of defence, in this instance, is to follow four key security principles which Anderson Morgan enact on a daily basis for our clients;
Create a strategy to reduce the harm caused by a breach as well as develop a plan to make a security breach as unlikely as possible. It is equally as important to create a strategy to cope in the event of a breach.
Use only quality, award winning security software and practices. Train your team to be vigilant toward ongoing potential threats such as malware or phishing emails. Only hold on to data that is essential for your business to access and importantly, only grant access to team members who need to access it.
Employ an IT specialist team who can scan your systems constantly in an effort to detect suspicious behavior around the clock. By detecting the issue steps can be taken to mitigate risks and recover information. Worryingly, some businesses that I have consulted for in the past have been breached numerous times over a long period of time, without even knowing!
Develop a robust, effective and fast recovery system. What kind of financial loss could a few days of your data being unrecovered cost your business? Putting it bluntly, at Anderson Morgan we can recover data faster than just about anybody else. Ask us how.