As the dust settles following the announcement that a new bill will change the way Australian businesses report lost or breached data, many are now raising the question – what action do I need to take, and when?
Recently, The Privacy Amendment (Notifiable Data Breaches) Bill 2016 was passed by the government, meaning that organisations in Australia will soon be legally obliged to report any incidents to the Privacy Commissioner, and notify affected parties as soon as they become aware of a breach.
Given that the scheme is scheduled to come into effect in 2017, with an exact date yet to be determined, businesses should begin addressing the implications of this legislation for their current practices.
In addition to the ever-increasing monetary costs for non-compliance, lost business and reputation, legal costs must also be considered. With the new legislation on the horizon, the cost could be even higher as lack of compliance for companies can result in penalties of up to $1.8 million.
Identifying your weakest link is key to prevention
The reality for a lot of businesses is that there are many security time bombs in the workplace, including abandoned documents on the printer, messy desk areas, unlocked or visible computer screens, unsecured recycling bins, employees downloading confidential documents onto personal machines, and unsecured and lost personal devices such as smart phones and tablets.
With the average office worker still using over 10,000 sheets of paper every year, a significant amount ends up in waste and recycling bins.
For this reason, human error or accidental loss by an employee is a huge security risk, let alone deliberate acts of maliciousness.
Who do you trust with your data?
Businesses increasingly rely on third-party secure destruction partners to manage the risk of confidential information in physical format.
A simple audit will allow you to assess the quality, expertise and integrity of your secure destruction partner.
Businesses must reflect on four key questions:
1. Does your data security partner provide you with documented proof that confidential information has been destroyed?
It is essential that whoever you choose, your destruction service provides you with a Certificate of Destruction after your materials are destroyed.
Ask your supplier about their chain of custody – a reputable secure destruction company will be more than happy to provide proof and be able to demonstrate the security procedures they have in place.
2. Does your partner allow you to visit their sites and examine the security measures in place to ensure you are comfortable with how your information is being processed and protected?
Information destruction companies, particularly those that have off-site services (where the destruction is done at their premises and not yours), should welcome the opportunity to demonstrate their security standards.
The openness and transparency of the audit process is critical to providing you with peace of mind that your data is being disposed of in the correct manner, and that security standards are applied consistently across the partnership.
3. Does your partner have the capacity to destroy electronic media and hard drives?
It isn’t just paper that puts business at risk of a data breach. Not destroying hard drives and electronic records is just as damaging.
In Shred-it’s 2016 State of the Information Security Industry Report, Professor Matthew Warren of Deakin University highlights ‘knowledge leakage’ as an area of information security requiring serious attention.
This describes the loss of information or knowledge that is critical to the organisation, which can happen across various formats – networks, emails, paper, devices or USB drives.
If your electronic data disposal process only includes erasing, reformatting, wiping or degaussing hard drives, you and your customers are still vulnerable.
Hard drives need to be physically destroyed to ensure information is unrecoverable.
4. What standards of professionalism and integrity does your partner work to?
The expectations to a secure information destruction partner should be stringent, and these standards should be no different among all their employees.
Ask to see documented proof that all company representatives who will visit your premises and handle confidential information have satisfactorily passed National Police Checks.
You should also expect to be provided details of whether your material will be shredded on-site (at your premises) or off-site (at their premises).
Tom Bell is the country manager of document destruction provider Shred-it Australia.