The unprecedented increase in staff ‘working from home’ is opening the door to increased data breaches and exposing companies to a greater risk of multi-million-dollar fines.
A data breach is an unauthorized access or disclosure of personal information, or a loss of personal information.
Under the Privacy Act 1988 (Cth) (the Act), a company can be fined up to $2.1m for serious interference with an individual’s privacy. If an interference involves more than one individual, it may be possible that a company will be liable for multiple instances of the fine.
Read more about that here: ‘Faceplant: Are multiple civil penalties (im)possible for the one privacy breach?’
As a business with staff working from home, it is important to be aware of:
Increased data breach risks while staff work from home How to prevent, mitigate and respond to a data breach
Increased data breach risks while staff work from home
With staff now working from home due to COVID-19 the ACCC’s ‘scamwatch’ has noted an increase in COVID-19 related scams.
One identified scam involves a text message being sent to the victim which appears to be an official government communication, the link then maliciously attempts to steal the victim’s personal data or gain access to their device. Such a scam could be devastating to a business if it resulted in the theft of sensitive data.
The Office of the Australian Information Commissioner (OAIC) revealed that in the second half of 2019 64% of Notifiable Data Breaches were due to malicious or criminal attack, and 32% were due to human error.
Below are some more security risks to look out for while your staff are working from home:
Files being stored on a staff member’s compromised (or unencrypted) device Increased unusual internet traffic, making a malicious attack harder to identify Unencrypted web-traffic (no VPN) Sensitive information being left out at home with housemates/visitors able to see it Sensitive information being thrown into the household bin instead of being securely destroyed
Our Chief Information Officer has emphasized that when planning IT infrastructure to work from home, businesses should keep it simple and embrace the below tips:
Ensure you have an anti-virus/anti-malware solution deployed and that it is up to date Avoid clicking links in messages from parties you don’t know NEVER enter a username or password unless you are confident it is a legitimate site Adopt mutli-factor authentication wherever possible. Don’t rely simply on a username and password
In addition to implementing these IT protections, it is important to plan for a breach before one occurs. Even the most well-resourced companies fall victim to data breaches (e.g. Facebook, Marriott, Microsoft), so preparing a preemptive ‘Data Breach Response Plan’ is highly recommended to ensure that when it does you comply with obligations under the Privacy Act and reduce the consequences of the breach.
The OAIC has stated that all entities should have a Data Breach Response Plan. If you already have one, we highly recommend updating your plan to reflect your new ‘work from home’ risks and procedures.
How to mitigate and deal with a WFH data breach
1 – Update (or create) your data breach response plan
All businesses should update their data breach response plan to reflect their changed working environment. The plan should highlight all new and increased risks and ensure that response steps are achievable in the changed working conditions.
2 – Prevent data breached where possible
Your business should update IT infrastructure and reassess data collection policies. Perhaps some data no longer needs to be collected, or perhaps it can be stored in a more secure way.
3 – Contain any breach immediately
Ensure that your data breach response plan is updated with immediate containment strategies when a data breach becomes known.
4 – Be aware of notification obligations
After assessing a data breach, it is important to be aware of mandatory notification requirements where the information which has been breached has caused, or is likely to cause, serious harm to an individual. These requirements apply to specific larger companies and it is important to seek advice as to whether this applies to your company.
Prepare for a breach now
The best way to mitigate the chance of a data breach is to ensure your Data Breach Response Plan and IT systems are up to date before the breach occurs. In this environment of increased risk, now is the time to act by seeking expert advice on your obligations under the Privacy Act.
