What is a data breach?
A data breach, which can also be referred to as ‘data spill’, is when personal information is accessible by, or disclosed to, an unauthorised person. Data breach also refers to instances when personal information is modified, deleted without authorisation or when personal information is lost.
It can impact any business – big or small, any industry or sector and it happens every day in our digitally connected world.
The three main ways data breaches occur are:
1. Cyber attacks. This is a cyber security incident with malicious intent by cybercriminals or disgruntled employees (insider threat).
2. Human error. This type of breach is accidental and therefore avoidable when care is taken.
3. Operational hiccups or system bugs. This can take place due to malfunctioning software or inefficiencies such as gaps in business processes.
In a business context here are some examples of how it can happen:
- Your customer records management system or CRM containing personal information is hacked. The cybercriminal may demand payment and threaten to publish or sell the personal information of your customers if demands for payment are not met.
- A laptop containing sensitive information is lost or stolen. If the data is accessible, this results in a data breach.
- Personal information is disclosed or shared by mistake with a third party. This may be accidental but sometimes can be due to bad judgement – an employee may be ‘tricked’ into disclosing information.
When collecting customer personal information, such as via contact forms on your website, only collect what you need. Ask yourself, do you really need to know your customer’s date of birth? The less you collect, the better off you may be should there be a data breach. Likewise, only store the data for as long as required. Retaining data for many years can mean a large breach that could have been avoided and can place you in breach of your data retention obligations.
So… what happens when there is a data breach?
Notifiable Data Breaches scheme
Any organisation or company, including some small business owners that are covered under the Privacy Act 1988, must follow the Notifiable Data Breaches scheme. This means, should a data breach be likely to result in serious harm to an impacted individual, you must notify the impacted individuals as well as the Office of the Australian Information Commissioner (OAIC).
Data Breach Response Plan
The OAIC has devised a response plan in order to assess and respond to data breaches in a timely matter. It also serves to help mitigate the possible harm to anyone impacted and to comply with the NDB scheme.
In the event of a data breach, the plan outlines:
- Contact details for appropriate employees.
- Clarification of roles and responsibilities.
- Processes to follow to help the OAIC to respond.
Read more on the Data Breach Response Plan.
In relation to a data breach, what does serious harm boil down to?
If you have been hacked or are a victim of identity theft, you have good reason to believe you, your customers and your employees are at serious risk. For example, if there’s a threat of financial loss – or worse still, it’s already taken place, it constitutes serious harm. It can also relate to threats of physical or psychological harm or damage to one’s reputation.
The number one thing you can do is support employee awareness and implement ongoing training. When it comes to a data breach via cybercrime, the environment is evolving so it’s a good idea for everyone on your books to have their finger on the pulse.
The Australian Cyber Security Centre (ACSC) recommends all businesses instil prevention techniques to stay one step ahead of cyber incidents. This includes documenting and training employees in cyber security systems and plans and implementing cyber security awareness programs for all employees.
Phishing and spear-phishing are common tactics cybercriminals use to trick employees to reveal organisational credentials such as usernames and passwords or to deploy malicious software. If successful, this opens the gateway to cybercrime including stealing personal information. When your employees are cyber alert they will have the tools to be cyber safe and can play an important role in keeping your business safe.
My Business Cyber is a cost-effective solution designed to keep businesses cyber safe. Tailored to suit your business – whether you’re a one-person operator or have teams – a comprehensive health check will identify where there may be gaps in your cyber security so you can make improvements and safeguard your business. You’ll learn from simulated phishing emails, have access to training and a range of resources including checklists, policies and legal documentation.