With an average cost of $3.35 million, data breaches often leave behind a trail of destruction. But as NSW Privacy Commissioner Samantha Gavel points out – ahead of her keynote at the Australian Privacy Forum – they also leave valuable clues on how to improve data security.
Ms Gavel and her team at the Information and Privacy Commission NSW have been analysing these clues for a number of years – zeroing in on high profile breaches such as the 2020 cyberattacks on Service NSW. Each incident under their microscope has shed light on any weak-spots within organisational practice, Ms Gavel says.
“Data breaches are incredibly unfortunate, but with each one that occurs, we gain renewed strength, because they expose – and help us fix – any cracks in the system,” she said.
In the last two years, Australia has fallen victim to 42 major data breaches, with at least four of these reportedly affecting 100,000 or more people.
What have we learned from these events so far? Ms Gavel shares some insights ahead of her speech.
Reconsider whether you need to collect or retain data
While laws surrounding data collection and retention can be complex, Ms Gavel recommends all organisations interrogate whether their own use of data is necessary.
“At a minimum you of course need to meet legal obligations. For example, organisations that fail to delete their data when it is no longer needed for the purpose it was collected may be penalised.
“Beyond that, I would encourage all organisations to consider whether their use of data is business-critical. If it is not, reconsider your approach as soon as possible, as it may expose you to undue risk.”
Don’t downplay the risk of human error
A data breach is any type of failure that allows unauthorised access to your organisation’s data. A misconception is that this is always the result of hacking or malware. However, it is estimated that around 38 percent of all data breaches are the product of human or technical error.
“Business leaders can get fixated on the risk of cyberattack and forget that human and technical error is often responsible. As a result, they often have inadequate safeguards in place to prevent these errors – like company-wide training or resources,” said Ms Gavel.
“Ideally, you want your data protection efforts to include a dedicated approach to tackling human and technical error.”
Don’t undergo a tech transformation without a commensurate focus on cyber security
New technologies can expose organisations to new cyber risks. Those looking to procure technology to meet a business objective must consider cyber security a commensurate need, Ms Gavel recommends.
“Cyber criminals often exploit newly implemented technologies. We saw this throughout the pandemic, with the rise of remote working and the virtual office tools used to support that. There was a big surge in attacks during this time.
“It is vital that organisations have a robust cyber security strategy in place and adequately resource their cyber security efforts. It should be an equal priority to the productivity or efficiency gains you are looking to achieve with the technology.”
Stop using email systems to store information – and remember to purge your deleted items folder
While many organisations now understand the risks associated with storing data in email threads, some are not aware that deleted items folders must also be purged.
“It is great that many employees are now routinely deleting any email conversations that contain consumer information. However, they must not forget to permanently delete the emails from their deleted items folder,” Ms Gavel highlights.
“Unfortunately, this was one of the issues exposed in the Service NSW cyberattack, which resulted from a major phishing campaign.”
Privacy aware culture
Awareness of cyber security matters is enhanced when the organisation has a privacy-aware culture and factors privacy into everything it does.
“When data protection is at the forefront of everyone’s minds, you are much more resilient as an organisation,” said Ms Gavel.
“With human error responsible for so many data breaches, the more you can spread the message about data security, the better chances you will have of avoiding one.
“It is a whole-of-organisation commitment, not confined to the IT team. So, train everyone up as soon as possible and ensure all employees remain privy to new and emerging threats.”
Design and execute a privacy and governance framework
To ensure all bases are covered, Ms Gavel urges organisations to devise a framework, detailing how their privacy obligations will be met under the applicable privacy legislation.
She says it can be helpful to hire a dedicated privacy employee or team, but cautions that all frameworks will need to be discussed at the executive level.
“Privacy conversations should not be siloed. They should ideally involve a company’s entire leadership team to make sure everyone is on board and no business decisions are made without privacy in mind.”
Keep abreast with the evolving legislation
Data breaches have given rise to new laws and legislative amendments, including the Privacy and Personal Information Protection Amendment Bill 2022 which was passed by the NSW Parliament this month.
As a result, NSW will be the first State or Territory jurisdiction to introduce a mandatory scheme for its government agencies to respond to data breaches. The Commonwealth Notifiable Data Breach scheme was introduced in 2018 and applies to all organisations covered by the Commonwealth Privacy Act.
Ms Gavel expects legislative and regulatory powers to continue growing in the coming years, in light of the steep rise in data breaches. The Australian Government is considering changes to privacy law and a bill to provide for greater penalties for serious data breaches has recently been passed by the Australian Parliament.
“It is really important that organisations keep abreast or any legislative changes, have robust privacy practices and systems in place, and ensure their legal obligations are met. While there are penalties for non-compliance, public trust with an organisation is quickly eroded following a cyber incident”.
NSW Privacy Commissioner Samantha Gavel is among a stellar line up of speakers at the Australian Privacy Forum, to be held February 16, 2022 at the Radisson Blu Plaza Sydney.
Joining Ms Gavel on the stage is eSafety Commissioner Executive Manager Morag Bond, Chief Data & Technology Officer of Consumer Advocacy Choice Ashwin Shridar and Australia’s leading cyber lawyers.
Learn more and register your place.