Legislation before parliament will make it mandatory for businesses to report data breaches to the government – and their customers – making robust data security more important than ever before.
Update 23 April 2018: According to the OAIC's first quarterly report, 63 data breach notifications were received during the first six weeks of the Notifiable Data Breaches (NDB) scheme, which came into force on 22 February 2018.
By Michelle Lindsay
In October 2016, the Australian Red Cross Blood Service announced it had been the victim of a significant data breach. More than half a million donor records, including personal information on sexual activity, drug use and health, were compromised when they were accessed from an unsecured server.
The scale of the breach, and the sensitive nature of the information disclosed, made it one of the most serious in Australia’s history, damaging the organisation’s reputation and opening it up to potential litigation.
While 2016 saw a number of high-profile data breaches, experts warn that this is not just an issue for the big end of town. With new mandatory reporting legislation also set to take effect in 2017, the consequences of a breach could now be a lot more serious.
According to new report, the IBM Cost of Data Breach Study: Australia, a malicious or criminal attack caused 46 per cent of data breaches in 2016, while 27 per cent were caused by a negligent employee or contractor, and a system glitch was the source of the remaining 27 per cent.
Organisations may be required to report data breaches
Under the proposed Privacy Amendment (Notifiable Data Breaches) Bill 2016, organisations will be required to go public on any unauthorised access, disclosure or loss of personal information which is likely to result in serious harm to the affected individuals.
If a business suspects a data breach, it will be required to carry out an assessment within 30 days. Then, if there are reasonable grounds to believe a data breach has occurred, it will need to notify the Privacy Commissioner, as well as all the affected individuals.
According to Ian Cunliffe, chief privacy officer at CPA Australia, the legislation will be a game-changer, making lapses more public and potentially more costly to address.
“Up until now we’ve had legislation that has the potential to impose serious penalties to people who breach privacy, but the obligation to self-declare, as the legislation proposes, raises the stakes enormously,” he says.
“Currently businesses are not required to self-declare, so we don’t know how many breaches there have been. If this legislation is passed, there will be the obligation to shout any data breaches from the rooftops, and a failure to do that will double the embarrassment if the company is found out and greatly increase the risk of criminal sanctions.”
Failing to disclose could also prove expensive, with businesses facing a range of potential penalties, including fines up to A$1.8 million.
Accountants are at high risk of a data breach
Cunliffe says that some small businesses may be underestimating their exposure to data security incidents.
“Every business has information that is confidential in relation to the privacy obligations that apply, for example, employment records. This might be information about people’s sick leave and the reasons for it and other personal information, so maintaining its confidentiality is a serious matter.”
He says that accounting practices are at particular risk, given the sensitivity of the data they hold.
Notifiable Data Breaches Quarterly Report: January - March 2018
“Accountants’ stock-in-trade is providing confidential advice based on personal information – so it would potentially be very embarrassing if that information made it into the public arena.”
Cyber insurance expert Drew Fenton, from insurance and professional indemnity protection firm Fenton Green, agrees that accountants cannot afford to be complacent.
“If I were to rate clients from zero to 10, where 10 is the highest risk, accountants would be seven or eight. Even though they don’t have a large database, they have all of our personal information including our financial details. From that perspective they are high on the target list for hacking.”
He says that being aware of the potential for a cyber attack can go a long way to protecting a business from the reputational damage and financial costs that accompany a data breach.
“The number one risk is opening an infected attachment – that’s where viruses get into your system. On average a virus is in your system 140 days before it is detected – watching, waiting and collecting information.”
The IBM report on the cost of data breaches in Australia shows that the average cost of managing and rectifying a breach is around A$142 per compromised record.
Although the financial cost is high, IBM says the biggest consequence of poor data security is a loss of business following a breach.
Related: The accountants' role in combatting cyber crooks
Fenton agrees that reputational damage and reduced client trust are probably the biggest concerns for small businesses.
“If it happens, once, we’ll probably forgive it. Twice we’ll be very cautious, but if it happens three or four times, the company will have a very severe PR problem.”
Protect your business from data breaches
Here are three strategies to help keep your data safe.
1. Put robust data security protocols in place
The first line of defence against cybercrime is having a strong culture of data security and reporting, and up-to-date security software. Your systems, and those of your partners and suppliers, should be regularly tested for vulnerabilities, and a risk assessment and management process put in place.
Be aware of your industry compliance obligations such as the Payment Card Industry Data Security Standard (PCIDSS) for organisations handling credit card information or the Information Security Registered Assessors Program (IRAP) for businesses or other groups wishing to store or process Australian Government information.
Educate your employees about the importance of protecting client information, and create clear management reporting processes.
Only collect the data you need – the less you have on file, the lower the risk if a breach occurs.
2. Consider taking out cyber insurance
Cyber insurance is a relatively new type of insurance cover, which can help cover costs related to a data breach. Cyber insurance can cover first-party costs, such as having an IT expert come in and wipe the virus, or the cost of reporting the breach. It can also cover your liability costs if an affected client takes legal action.
3. Seek help if you suspect a data breach
As the proposed legislation hasn’t yet passed, it’s not clear exactly what the notification process will require. So if you think there may have been a breach of your data, speak to a solicitor to confirm whether you need to report it, and how to go about making the required notifications.
You may also want to consult a public relations firm to help limit the reputational damage, and help shape the message to affected clients.
What a data breach means to your business