Why contract tracing regulations pose security challenges for small businesses

Smartphone running a Covid.19 contact tracing app over a surgical mask

To ensure the health and safety of customers across Australia, cafes, restaurants, and many other bricks and mortar businesses are faced with new government regulations to aid in contact tracing exercises to help stop the spread of COVID-19. 

As a result, many small businesses now require patrons to supply their personal details as a condition of entry – this is often done via technologies such as QR codes that link to data-collecting third party websites. Besides the privacy concerns, businesses will need to ensure this data is protected from cyber-attackers and unauthorised sharing and disposed of appropriately in a timely manner.

So where should small businesses start?

Regardless of the size of the organisation, great care should be taken when handling customer data. Personally identifiable information (PII) must be stored, retained and protected in the same way as any other customer record.

Is the data stored securely and in your explicit control? Is it encrypted? Where will the data reside and who will access it? These are questions that need to be answered.

The business must maintain clear ownership of the data. The issue with using QR codes is that they will typically take the user to a third-party website that collects data on behalf of the business. Adding the customer data to a Survey Monkey or Google spreadsheet is also inadequate as there are vulnerabilities inherent with these platforms and often third-party providers such as these are able to access the data, as part of the terms for using the service. The best way to collect and store the data is via a personalised and secure submission form, owned and controlled by the organisation.

Can the government help?

I valued our Prime Minister recently acknowledging that security is everyone’s problem when he announced the government’s new cybersecurity strategy and CESAR package investment. Hopefully, this goes some way to encourage small businesses to understand the importance of keeping customer data secure. Small businesses must be aware and know the risks, particularly as many are being asked to collect more customer data than ever before.

Many small businesses would benefit from the introduction of a framework and/or set of guidelines to educate managers/owners on how best to secure customer data.

While it’s encouraging that our Prime Minister has paid attention to small businesses as part of the government’s cybersecurity strategy, there’s still a lot of scope for both federal and state governments to support small businesses to encourage cyber hygiene, particularly with regards to the storage of customer records.

A COVID-safe approach

The NSW Government is running a pilot for the COVID Safe Check-in tool. Instead of small businesses collecting the data themselves, their customers simply use the COVID Safe QR code provided by the business, which will take them to the Service NSW app to check in. The customer will be notified by the Service NSW app or contacted via phone or email if there’s an outbreak at a location they’ve checked in to. When patrons check in to a business using the app, only the location of the business and time of visit is recorded. This information is stored only for 28 days.

According to the National Retail Association, small businesses employ nearly half of the Australian workforce (46 per cent) and contribute more than a third of Australia’s GDP (35 per cent). While these numbers are likely to have changed since the start of the pandemic, the contribution of small businesses to Australia’s economy cannot be underestimated.

The COVID-19 pandemic has drawn attention to the need for small businesses to understand the importance of protecting customer data. Therefore, it’s only fitting that small businesses receive the adequate support and resources required to ensure they are well prepared in this regard now and into the future.   

Aaron Bugal, Global Solutions Engineer, Sophos