The news that a hacker is trying to sell a fresh tranche of LinkedIn data stolen in the well-publicised 2012 hack is a chilling reminder of the perils and responsibilities of storing third party data.
The Privacy Act 1988 requires organisations that collect private information about third parties to take reasonable steps to protect it from misuse. Failure to do so can not only lead to crippling damages claims, but to savage fines. Even organisations which may be small enough not to be covered by the Privacy Act still have a duty of care to anyone whose private data they hold. And regardless of the legal consequences, data security breaches are never good for business!
Most large organisations have the internal resources to maintain best-practice data vigilance, but the LinkedIn story shows that even an IT giant can be vulnerable to a determined hacker. For smaller organisations, it can be very difficult to stay ahead off the game. The Federal Government’s Office of the Australian Information Commissioner publishes a handy guide for any organisation covered by the Privacy Act. It includes a discussion of the steps that should be taken by an organisation that suffers a breach.
Sources of Risk
While hacks by outsiders get the most media attention, the sad fact is that a data breach is just as likely to be perpetrated by one of your own employees (whether through malice, error or negligence) as by a demon geek in a flat in Kiev. And the mechanism for most of these breaches is often depressingly low-tech. Here are some examples:
- Theft of paper records from insecure recycling bins.
- Devices such as multi-function printers, which contain digital storage media being disposed of or returned to the lessor without their contents being erased.
- Lost or stolen laptops, memory sticks or even paper records.
- Employees accessing and disclosing or otherwise misusing personal information.
- Employees being deceived into making improper disclosures of personal information held by the company.
As we can see, these breaches vary in scale, but the important thing to bear in mind is that any breach has the potential to do you serious harm if it assists a cybercriminal to hack your system.
The Privacy Act deems certain information, such as that related to credit and reputation, to be “sensitive”. However its definition of “sensitive” is context-sensitive, and it is consequently the duty of the organisation to consider the effect of unauthorised disclosure, and determine its sensitivity. Consider, for instance, the unauthorised disclosure of a list of addresses. If the list is merely for the purpose of delivering periodicals, it’s not likely to be considered sensitive. If it’s a list of people who have requested temporary redirection of their mail, it most certainly is!
What Can You Do?
Here are some steps that should be taken by any organisation that keeps third party personal information:
- If you do not have one already, create a designated staff position to undertake responsibility for data security.
- Assess the risk – you should have a clear understanding of the extent and nature of the personal information you handle. As discussed, you
need to come to your own assessment of the sensitivity of information.
- Review the information you collect in the course of doing business. Make certain you are only collecting data you really need – the rest is just adding to your security burden.
- Develop policy around data security, and train your staff in their implementation. Establish a monitoring protocol to maintain vigilance.
- Review your reliance on third party services. Cloud computing, and the use of hosted software mean that more
businesses than ever before rely on the integrity of third party storage arrangements. If you’ve recently begun online training and assessment, have you properly assessed the exposure of sensitive information about your employees that it entails? Where is your data stored? In general, you should prefer providers who
- Make sure you have appropriate cybersecurity insurance. Your broker will be happy to help you review your exposure, and recommend the necessary cover. Cover should include Business Interruption protection, as even when no claim arises from a breach, the aftermath of a breach can involve lengthy and costly down time.
If you’d like to review your cybercrime insurance, call Sydney Insurance Brokers today, and talk to one of our data security experts.