A few days ago, one of our clients experienced a data breach. The issue was reported to the Office of the Australian Information Commissioner. This can happen at random to anyone regardless of business size or income generated. No one is data breach-proof.
“I don’t have data worth stealing - I don’t store clients data - I don’t store credit card or payment details.”
DATA: can be accessed via your website and be a simple thing as an email address. It can be a user's full profile or it can be anything that is stored in the cloud. You may use online accounting software like Xero, you may use an email platform like MailChimp, You may store personal details either in software or in your Onedrive, Dropbox or Gdrive. Any unauthorised access is counted as a data breach.
80 million people around the globe are affected one way or another by data breaches. In the past 5 years, health care facilities have been the most targeted industry for cloud hacking. The intention of the attackers is clear, healthcare facilities store most of the critical and very personal identifiable data that can be used on the dark web.
What exactly is a data breach?
A Data Breach happens when sensitive information is infiltrated for unlawful reasons. It happens in various ways such as unauthorized access on a physical computer to download important information, bypassing computer networks, and with the advancement of cloud storage, hacking their way to get the information they want.
Is there a severity of lost data to be considered as a data breach?
Luckily, the Office of the Australian Information Commissioner has been diligently implementing the Privacy Act and is helping our community be a safer place for cloud data.
According to the OAIC “Agencies and organisations regulated under the Australian Privacy Act 1988 (Privacy Act) are required to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm to individuals whose personal information is involved in the breach. This page provides an overview of the scheme and information to help entities comply with these requirements and notify the OAIC and affected individuals when an eligible breach occurs. Our Data breach preparation and response guide provides detailed information, including a general framework, to help entities prepare for and respond to data breaches.If you are concerned that your own personal information may have been involved in a data breach, you may be interested in our data breach guidance for individuals.”
What do you do when you suspect a Data Breach?
In line with the Privacy Act of 1988, the OAIC asks that the institute that is involved to assess the breach and identify whether it may impose harm to individuals affected.
Generally, the actions taken following a data breach should follow four key steps:
Step 1: Contain the data breach to prevent any further compromise of personal information.
Step 2: Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, taking action to remediate any risk of harm.
Step 3: Notify individuals and the Commissioner, if required. If the breach is an ‘eligible data breach’ under the NDB scheme, it may be mandatory for the entity to notify.
Step 4: Review the incident and consider what actions can be taken to prevent future breaches.
Learn more about Data Breach Preparation and Response here.
It is also important to have a data breach policy in place so that when it happens you are prepared to deal with the situation as a legal matter. In general, entities should:
- take each data breach or suspected data breach seriously and move immediately to contain, assess and remediate the incident. Breaches that may initially seem immaterial may be significant when their full implications are assessed
- undertake steps 1 (Contain), 2 (Assess), and 3 (Notify) either simultaneously or in quick succession. In some cases, it may be appropriate to notify individuals immediately, before containment or assessment of the breach occurs
- determine how to respond on a case-by-case basis. Depending on the breach, not all steps may be necessary, or some steps may be combined. In some cases, an entity may take additional steps that are specific to the nature of the breach.