person falling in water


We Are All Data Protectors Now!

November 7, 2016

cybercrime key cardIf you’re one of those who think cyber-crime is a problem only for the large corporation, the IT professional or the computer dating sites, think again, as you read this cautionary tale:

As she looked through her emails and sipped her first coffee of the day, Sarah’s guard was low. When she spotted an email from her electricity provider about her account, she unthinkingly opened it. Seconds later, she found herself locked out of her system, her files encrypted. The only thing she could read was a message from her attacker, demanding $500 as the price for decrypting her files. Wisely, she ignored the demand and went straight to Dave, her computer guy, who sorted it out over three days’ work, during which time her design and fitout business was at a standstill.

At the end of the day it cost Sarah an estimated $7,200 to sort it out, and some of her files, including her Masters’ thesis, were beyond recovery. Could have been worse though, as Dave pointed out – ransomware hackers at least announce their presence, and it could just as easily have been an attack which breached her payments system or her own bank account. That could have led to huge financial losses, for which she might be held responsible, wholly or in part.

The Privacy Act, 1988 the instrument Australia uses to legislate data protection issues, has recently been amended such that a whole swathe of Australian business now has unprecedented responsibilities to third parties for the protection of data it keeps. Something as simple and rudimentary as operating an EFTPOS terminal in a café puts you in possession of sensitive information about your patrons, and now carries the responsibility for taking “reasonable steps” to protect that information from breach and/or misuse. In the event of a breach, these responsibilities can give rise to damages awards that can cripple many small businesses.

But the law doesn’t go as far as it does, for instance in respect of tradesmen, and make insurance mandatory. Still, it’s surprising how few SMEs take advantage of cyber insurance, a field in which Australian business lags behind its North American and European counterparts.

cybercrime key cardTo see the extent of the problem, it’s worth summarising the losses and damage that can arise from breaches of data and cyber attacks.

  • Reputational – information you hold about clients or patients is used to impugn their character or cast doubt on their fitness.
  • Inadvertent defamation – you accidentally cc a whole bunch of contacts in a message intended for a much smaller readership, and dealing in uncomplimentary terms with an identifiable third party.
  • Negligent transmission of a virus or malware. SMEs with rudimentary firewall provisions are particularly prone to this.
  • Unauthorised use of sensitive data for digital marketing purposes. Essentially, you may only send unsolicited messages (including postal mail) to those who have opted to receive your marketing material.
  • Theft or misappropriation of funds arising from a breach of confidential information you hold.
  • Theft or misappropriation of intellectual property arising from a breach of data held by you.
  • Recovery costs, including IT professionals and replacement of hardware.
  • Interruption of business.

This is far from an exhaustive list, but if any of the points on it sounded a warning bell for you, perhaps it’s time you gave us a call to discuss a policy tailored to the liabilities created by the latest legislation?