What’s new with Data Breach Laws?
Sadly, cybercriminals are always trying to challenge us and have been specifically targeting small and medium based businesses in Australia for years.
While businesses have continuously been made aware that they should be reporting any data breaches to the Australian Information Commissioner, since the 22nd February 2018, it is vital for businesses to report all data breaches that occur as per the Federal Register of Legislation, as well as those impacted.
So, to start off with the basics, what is a data breach?
A data breach relates to a security event where private/ confidential documents or private information is leaked to an untrustworthy source. Some of the time this can be unintended and accidental, but other times it can be intentional if say an employee or a contractor deliberately accesses it with the intent of stealing it or using it on purpose.
What types of businesses are affected?
This affects any (for-profit or non-for-profit) Australian Government Agencies, companies with a yearly turnover of more than $3 million and also businesses that handle sensitive information, such as those businesses in the health sector.
If there is a data breach what should you do?
If your company or business falls into the category required to abide by this law and a data breach occurs, you are required to notify your customers and the Office of the Australian Information Commissioner that the data breach has occurred.
Before such an event occurs, it’s a good idea to have strategies and policies in place to eliminate data breaches from occurring and ensure that you are aware that such events may affect the financial side of your business. There are a few things that will help you to ensure that you have appropriate measurements in place.
What sort of policies and procedures should be in place?
- IT Security Policy: Guaranteeing that employees have rights to only access what they require in order to do their job limits access to information that they don’t necessarily need.
- Regular Auditing of Processes/ Hardware/ Software: Making sure that employees are following IT policy and procedures appropriately (changing passwords when they should be, keeping passwords secure, completing updates when they become available, etc).
- Regular training on Security: Regularly training employees on the importance of IT security proactively provides staff with frequent knowledge of policies and procedures.
- Management of Security Services: Protection against malware, viruses, worms, spyware is vital. Ensuring operating systems, networks, servers and applications are free of malware, viruses, worms and spyware will provide for a safe working environment.
- Centralised Firewall: It’s vital to have a centralised firewall in place to safeguard your network.
- Router Security: As cybercriminals are easily able to compromise your data without being present at your office, be sure that your network and router is setup securely.
- Backups: There is nothing worse than backing up data unreliably or inadequately. Be sure that you are using a trustworthy backup solution where you know that your data isn’t vulnerable.