28

FEBRUARY, 2018

Data breaches
Huge fines
Small business caught up in big nets

The Australian government has cast a wide net to try and catch companies covering up data security breaches.

Notifiable Data Breaches Bill came into act on February 22.

Any organisation that is accountable to the Privacy Act will be required to inform the Australian Information Commissioner and members of the public if their data has been compromised.

The Notification Data Breach Scheme directly affects Government agencies, all businesses and not-for-profit organisations with an annual turnover of $3 million or more, all private sector health service providers and those that trade in personal information.

Health startups need to sit up and take notice.

Image from Pixabay

Many Data Breach incidents could have been prevented through straight-forward cyber security measures and risk management processes. Cymax.

In the majority of cases ‘hacking’ or data breaches actually happen to small companies. The perpetrator often turns out to be an ex-employee.

Which means that the way startups hire, grant access to computer systems, fire and revoke access for their employees is a key component to any privacy and data security plan.

As well, the widespread use of cloud computing poses unique problems. Companies are increasingly dependent on PaaS and how they store data can be oblique. This leaves the onus on the business to ensure the cloud service they use has high quality data security policies.

‘A new survey, commissioned by HP, has also revealed that ­almost half of all Australian small and medium businesses are not prepared for the new laws, and have not undertaken any IT security risk assessment in the past 12 months.’ The Australian Business Review 6th January 2018.

Personal data can be defined as  ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable’.

Failure to comply can result in responsible individuals – a company’s founder and key employees – being served penalties of up to $360,000, and companies up to $1.8 million. Startup Daily. 1st February 2018.

Even if you have a simple database of users with their name, email, address and telephone number, you need to set up procedures that clarify how that data is accessed and used in your business.

You are also required to have in place a standard plan in writing should a data breach occur now or anytime in the future. All employees should also be made aware of this plan and how it is executed if it needs to be.

‘According to the Ponemon Institute, the average total cost of data breach for the 419 companies participating in their research decreased from $4.00 to $3.62 million. The average cost for each lost or stolen record containing sensitive and confidential information also significantly decreased from $158 in 2016 to $141 in this year’s study.

Health care organizations had an average cost of $380

However, despite the decline in the overall cost, companies in this year’s study are having larger breaches. The average size of the data breaches in this research increased 1.8 percent.’

A material data breach is one that involves a minimum of 1,000 lost or stolen records containing personal information about consumers or customers. This research does not include data breaches involving high-value information assets such as intellectual property, trade secrets and business confidential information.

Cost analysis reveals a relationship between the average total cost of data breach and the size of the incident.

The faster the data breach can be identified and contained, the lower the costs.

Forty-seven percent of all breaches in this year’s study were caused by malicious or criminal attacks.

The more records lost, the higher the cost of the data breach

Certain industries are more vulnerable to churn with healthcare being one of them.

The failure to quickly identify the data breach increases costs.’

Personal data can be defined as  ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable’.

It doesn’t stop with Australian legislation.

The European Union General Data Protection Regulation contains new requirements that will apply from the 25th May 2018. Australian companies will come under this legislation if they have a business (no matter how small) that processes any kind of personal data (whether it’s stored in the EU or not), offer goods or services or monitor the behaviour of individuals in the EU.

So be a smart fish. Plan ahead.

Don’t get caught up in the dragnet of government legislation that probably had it’s roots in anger over the way multinationals were flippant with billions of people’s data.

@Wikihospitals February 2018