In recent times we’ve seen corporate big dogs making news headlines after falling victim to malicious breaches, but what about the small to medium businesses across Australia – how do they best equip themselves to prevent the anxiety, stress, financial and reputational loss of a data breach?
My advice is to look at the recent handling of data breaches in the media as a guide. I think we can all agree that Optus lacked a strong crisis response, and chances are they had not adequately prepared for such a type of crisis or, if they did, the key is to be proactive – not just reactive. Businesses must have an airtight cyber incident response plan to mitigate and defuse the event of a potential breach.
Businesses must take serious measures to ensure the privacy and protection of customer data. On 28 November 2022, the government announced an increase to the financial penalties from the current $2.2 million to a fine of “up to $50 million”, “three times the value of any benefit obtained through the misuse of information”, or “30 per cent of a company’s adjusted turnover in the relevant period”. They clearly want to see the private sector taking the storage and handling of customer information seriously.
What can we expect in the future – do we expect to see more of these?
Unfortunately, yes. Until the directors and boards of companies actually invest the right budget into protecting their businesses, as well as their clients or customers and identifying the weaknesses before a hacker or cyber criminal can use them, this will continue.
How can businesses protect themselves and their customers?
- Don’t recycle your password across accounts – even changing two-three characters, numbers or symbols in the same password. Hackers have software that allows them to try multiple combinations or variations of passwords, making it easy to break into your account if they know your password. Instead, use strong, completely unique, passwords, at least 12 characters in length, with numbers, letters and symbols or special characters.
- Get a password database and secure this with a passphrase that is something only you would know, e.g. a childhood memory. The password database, which Is unlocked with your exclusive passphrase, allows you to copy and paste passwords – this way you won’t have to remember all those complicated passwords you created.
- Use multi-factor or two-factor authentication, including, but not limited to, email accounts, password databases and remote access systems. Recent changes in cyber liability insurance mean that if you don’t have this in place you won’t be able to get a quote or renew an existing policy.
- Stay on top of installing software updates on all devices. This includes your computers, mobile phones, tablets, security cameras, door access controls, home and business building automation systems essentially anything that can be connected to the Internet, a network or Wi-Fi.
- Engage with a professional IT and cyber security company to review your systems, even if you’re currently utilising the services of another provider. Reviewing your systems before a breach will save you stress, anxiety, time loss, and monetary loss. Hackers are constantly upskilling, so this must be an ongoing service engagement, not a one-and-done.
What do we need to know in terms of consumer law/consumer protection?
Consult a licensed professional solicitor, who has the necessary expertise in this area, to provide this advice and the requirements for your industry.
The Privacy Act states any business that turns over $3 million or more must properly notify affected individuals where cause for harm could happen. If this is not actioned correctly the Office of the Australian Information Commissioner has the power to fine up to $2.2 million as it stands now. If health information or tax file numbers are involved, then no matter what your turnover affected individuals must be notified.
