Tips
Bec Newman
GDPR and your data's end-of-life
GDPR and your data's end-of-life
Opinion
Bec Newman
GDPR: The lay of the land
GDPR: The lay of the land
Tips
Bec Newman
Privacy Amendment (Notifiable Data Breaches) ...
Privacy Amendment (Notifiable Data Breaches) Act 2017: Tips for best practices
Opinion, Tips
Bec Newman
Privacy Amendment (Notifiable Data Breaches) ...
Privacy Amendment (Notifiable Data Breaches) Act 2017: How data destruction helps with compliance
Tips
Bec Newman
Privacy Amendment (Notifiable Data Breaches) ...
Privacy Amendment (Notifiable Data Breaches) Act 2017: Eligible data breaches

Time to put the focus on digital security

Another blunder by a large-scale organisation is providing a loud reminder that digital security is not taken seriously enough in Australia.

With the upcoming legislation amendments, Australian businesses and the public need to be well informed about data security, and work towards two important changes: a refresh of security systems, and a shift in the mindset surrounding digital security.

digitalsecurity.jpg

The Department of Health blunder

The Department of Health is facing ongoing investigations by the OAIC after unintentionally exposing the health records of 1 in 10 Australians. The sensitive information included that of prominent Australians such as MPs and sportspeople. The information was made anonymous through de-identification and released to the public, as is common practice. Unfortunately for that 10% of the Australian population, a study conducted by the University of Melbourne’s School of Computing and Information found individuals were able to be re-identified.

The University of Melbourne study found these unique patient records are able to be matched to publicly available records, like past medical procedures and year of birth, allowing identities to be known with some confidence. This potentially exposes socially sensitive records like prescribed medications, termination of pregnancies, and information on personal mental health.

The information, released in 2016, includes data from the Australian Medicare Benefits Scheme (MBS) and the Pharmaceutical Benefits Scheme (PBS). A department spokesperson informed the media that the project has been halted and the dataset removed, and offered assurance that measures are being taken to protect and manage data.

The problem (now more than ever)

This is a perfect demonstration that Australian organisations both within and outside the government remain unprepared for the changes to the Privacy Act 1988 becoming effective in February next year. The Privacy Amendment (Notifiable Data Breaches) Act 2017 is bound to catch many businesses off guard.

Sloppy security measures constitute a huge breach of trust for the Australian public. When we work with organisations that collect sensitive personal data, we trust in the confidentiality offered by the organisation. When we work with an organisation that releases datasets publicly, we do so with faith in anonymity. Australians trust in the strength of the protections in place. Incidences like this recent security lapse prove to us that our trust is often misplaced. We’re led to question the strength of organisations’ security measures and, perhaps more importantly, to question whether they take our personal security seriously.

The core problem is not that the records can potentially be re-identified. The problem is that sufficient attention was not paid to security risks before the dataset release. It’s an issue of carelessness. Security was not given priority, and as such was compromised.

The lesson

Personal security is rarely as straightforward as ‘to share or not to share’. For the purposes of research and transparency, it is essential that some de-identified datasets are released, especially when it comes to government entities. What needs to be considered is the nature of the release — how and to whom information is accessible, whether it is secured with technology that keeps pace with technological advances, how effective the de-identification procedures are, and whether or not data are eventually removed or destroyed.

Introducing additional legislation against the re-identification of data may patch some parts of the issue, but it is a temporary and ultimately ineffective fix. It will do little in the light of the Privacy Amendment next year. The new amendment will see organisations penalised heavily for allowing data breaches to occur. In that way, it’s a step in the right direction when it comes to ensuring we all take digital security more seriously.

The lesson to be learnt here is not one unique to the digital age. Security always needs to keep pace with threats. When the enemy makes stronger battering rams, we must see that and build a stronger door. If the enemy can sneak up through the sewers, we must know that and guard the manholes. Businesses must know intimately the nature and severity of shifting digital security threats, and never let down their guard.

Here’s the crux: digital security must be given more weight. Simply by tightening security measures and keeping digital security at the very forefront of company consciousness, organisations will avoid the embarrassment, reputation damage, and financial burden of a security breach, ensuring the continued trust of all Australians.

With the new legislation fast approaching and public awareness rising, it’s time for companies to address digital security with the gravity it deserves.

 

The Uber data security breach and Australia’s new security legislation

What happened?

Popular ride-hailing app Uber is facing scrutiny worldwide after a massive digital security breach and cover-up was revealed last month. The data breach, performed by two external hackers in October 2016, affected 57 million drivers and passengers using Uber.

The company reportedly paid US$100k to silence the hackers responsible for the breach, successfully concealing the incident for over a year.

The hackers accessed sensitive personal information including the names, email addresses, and phone numbers of more than 50 million users, as well as licence numbers of drivers. Uber has offered assurance that no financial information was accessed, but has not disclosed detailed information about the nature of the breach to the media.

With facts about the incident now being rapidly unveiled, Uber faces liability in several jurisdictions worldwide. Public pressure from the US, UK, the Philippines, and Australia is topping off a year of heavy controversy for the business. 

P9060133_3.jpg

What does the present and future backlash look like for Uber?

Uber is facing strong criticism not only for the breach itself, but for the immoral cover-up that followed. Data breaches, and the identity theft that often results, are of worldwide concern. Governments, companies, and members of the public all recognise the need for tighter security and mandatory reporting.

Australia will see new data security legislation come into play in early 2018, with the legislation requiring all digital security breaches be reported to the Office of the Australian Information Commissioner (OAIC). Legislation is also tightening in the EU — from May 2018 the General Data Protection Regulation (GDPR) will also impose stronger penalties for failure to report a data breach. In all but two US states, it is already mandatory to report data breaches that involve personal information.

Though the financial consequences for Uber under current regulation are still unclear, this incident comes on the tail of a bad year for the company. After reports of concealed sexual assault and driver mistreatment, underpaid drivers in NYC, and the contentious move by TfL to remove Uber’s licence to operate in London, Uber’s reputation has taken a strong hit in 2017.

Damaged reputation is just one consequence for companies that have reported — or concealed — serious data breaches like that experienced by Uber. With reports suggesting that 2018 will see the incidence of breaches continuing to rise, companies are recognising the need to tighten current data security in order to avoid the inevitable reputation damage and financial consequences of a breach.

Uber is not the only global scale company facing the pressure after a security breach. Yahoo and Equifax, amoung other big names, have experienced breaches of this nature in the last few years.

What does the new legislation mean for organisations like Uber?

With large global companies experiencing these types of breaches and their consequences, the nature of the reporting action taken by big organisations is likely to change dramatically next year. New laws will be cracking down on reporting practices worldwide, especially in the EU and Australia.

If Uber’s data breach had fallen under Australia’s impending laws, the company could be facing far more serious consequences. From February 2018, fines for companies can include financial penalties of up to $1.8 million as well as investigation by the OAIC, court-enforceable undertakings, and orders for compensation.

The same is true of new EU laws, under which fines will reach 4% of annual global turnover, or €20 million, whichever is greater. In the case of Uber, this could entail upwards of $260 million, on 2016 annual global revenue.

With businesses facing such severe consequences for data breaches, there is no room for error in digital security practices in 2018. Businesses in Australia and around the world should be looking to tighten security at every stage of their process.

What can Australian firms do to prevent digital security breaches?

Breaches in security occur when there is a gap in the system. To ensure security of data requires strict protocol from its collection to its destruction. Of course, companies should first assess whether it is truly necessary for them to hold sensitive data.

If it is necessary, all hard drives should be equipped with safeguards and remain updated, and staff should be educated on best practice cyber security. Alarms systems should be put in place to alert the company in the case of a breach. After it is no longer needed, data should be completely, securely, and safely destroyed.

Find a full list of our top 10 ways to avoid a data breach here.

With end-of-life data one of the biggest gaps in current practice Australia wide, we want to assure Australian businesses that there is a safe, secure, and ethical way to deal with data and avoid heavy fines and maintain customer trust.

 

10 Tips to Secure Your Company’s Data Against Cyber Threats

Incidences of cyber crime and identity theft are set to rise once more in 2018, following the trend that has been well established since the beginning of digital data storage. With the new year and new legislation just around the corner, many businesses are looking to the future and reassessing their digital security practices.

Tens of millions of cases of identity theft occur annually, with stolen funds now exceeding $15 billion each year. Studies suggest that in the last six years, cases of identity theft have increased as much as 200%.

Every organisation handling the data of clients, customers, or employees is at risk of a security breach. Statistically, the greatest threat is experienced by sectors such as education and health, which store large amounts of personal data, as well as financial institutions, an obvious target for cyber criminals looking for monetary gain.

With the risk of cyber crime increasing annually, attention needs to be given to data protection, both in legislation and in the digital security practices of individual organisations. Next year will see legislation tightening in both Australia and the EU, with new laws imposing heavy penalties on organisations that experience digital security breaches.

Beyond the fines imposed by governing authorities in the case of a data breach, companies also experience financial losses in the recovery process, as well as a significant loss of trust in their client base. 

The sensitive information in question can include names and addresses, medical records, bank account details, and photographic images or video footage, as well as information on a customer’s workplace. It can also include the expression of certain personal opinions.

With legislation tightening and public awareness of data security issues rising, data security is likely to become a key deciding factor in consumer choices. Companies are taking stronger measures to ensure their clients remain protected from cyber crime and data theft. Below, we suggest several steps that can be taken to significantly minimise the risk of data security breaches in workplaces across Australia.

ADD's tips to secure your company’s data against cyber threats in the workplace

The Australian Privacy Protection Act and the Australian Privacy Principals (APPs) are legally binding principles that inform privacy protection in Australia. Familiarise yourself with these documents and follow the ten steps below to help ensure the protection of sensitive data.

 

1.

Consider whether it is necessary to hold sensitive information in the first place, and what minimum amount of information it is necessary for you to collect. Over-collection of data or storage of unnecessary information increases security risks by increasing the amount of data for which your organisation is responsible.

 
 

2.

Conduct a Privacy Impact Assessment (PIA) or an assessment of information security risk, if applicable. A PIA is a written assessment identifying the privacy impacts of a proposal and making recommendations for management of those impacts. It describes the flows of personal information within the scope of the proposal, analyses the possible impacts, and explains how the organisation intends to decrease or eliminate the identified risks. The OAIC website can assist you in determining if you require a PIA or an information security risk assessment.

 
 

3.

Educate your staff on good cyber-security workplace habits. Raise awareness within staff groups of methods used by cyber criminals and ensure that all the employees within your organisation understand the importance of digital security.

 
 

4.

Ensure that your information handling practices are embedded with the appropriate privacy protections. By always handling a data securely, within a planned and deliberate information handling framework, you will minimise your risk of information leaking due to unsafe handling practices or human error.

 
 

5.

Account for the possibility of human error. Ensure your staff complies with strict policies within your information handling framework regarding access to, and distribution of, sensitive data such as customers’ personal details. Account for the possibility that human error can occur by having systems in place to deal with breaches, if and when they occur due to human error.

 
 

6.

Equip all hard drives with digital security safeguards and software. Keep all programs updated and patched to ensure that your software is up to date and ready to handle the constantly shifting landscape of digital threats.

 
 

7.

Ensure there are appropriate alarms in place so that, if a breach occurs, you are made aware immediately and can deal with the issue in the most efficient way possible.

 
 

8.

Only hold data for the time that it is necessary to do so. Once sensitive data is no longer necessary, destroying it immediately and completely ensures that it will not become a security issue in the future.

 
 

9.

Ensure all paper copies of sensitive information are disposed of appropriately and safely. Work with a data destruction company and ensure your staff understands the sensitive nature of paper copy information and the necessity for its proper destruction.

 
 

10.

Work with a reputable data destruction company to dispose of digital copies of personal information safely and permanently. Complete data destruction is an essential way to mitigate risk once information is no longer required. Using a data destruction company that can guarantee complete destruction of all digital and physical data ensures your customers’ sensitive information remains secure. Choose a company that can assure 100% auditability of eradicated data. Where possible, have data destroyed on-site to avoid the possible risks associated with transporting sensitive information.

 

As the current market leader in Australian data destruction, AVTEL Data Destruction uses a unique and portable milling process that guarantees complete security of eradicated data.

Computer Security Day reminds businesses to tighten digital security in the face of 2018 legislative changes

Computer Security Day_Blog Post Graphic.jpg

International Computer Security Day falls on November 30th, urging businesses and individuals to consider the strength of their digital security.

An annual reminder to stay protected against diverse digital threats, Computer Security Day puts the spotlight on securing computers, networks, data, and mobile devices against threats. New legislation coming into play in February next year will make it even more imperative for businesses to manage their digital security wisely, from storage to distribution to destruction.

The first International Computer Security Day in 1988 marked a rising awareness of security issues associated with data and digitally stored information. The rapidly increasing amount of sensitive information being stored online makes it essential that personal device users remain aware of best-practice security measures.

Computer Security Day carries a potent message in 2017. Incidences of identity theft are increasing annually. Hackers and cyber criminals, human error, and system failures can compromise sensitive data both on- and offline, making digital security a concern for every Australian.

Digital security in Australia is set to spend more time in the limelight in 2018, with new legislation coming into play in February that will change the reporting process for businesses in the case of a data breach. Current Australian laws fall behind those of other countries, allowing businesses to decide whether or not they wish to report data breaches to the Office of the Australian Information Commissioner (OAIC). As of next year, organisations will be required to inform the OAIC and affected customers when information is compromised.

The new legislation ensures that relevant parties are made aware when a data breach occurs, if it might compromise their digital security, physical safety, or reputation.

Business owners are heeding the reminder offered on November 30th. Storing sensitive customer information is commonplace and necessary for many organisations. However, publicised data breaches have been responsible for disrupting the reputation of Australian businesses in the past, with steep declines in customer trust and significant financial losses in the aftermath.

Most companies are already employing strict data security practices around data storage and distribution, says Dudley Kneller, lawyer and technology regulation specialist. Kneller spoke at an industry event in Melbourne for Avtel Data Destruction last month.

“Most organisations are either good or very good, particularly at the top end, at managing their live and current data… they’ve got all the systems in place, they’ve got backup, they’ve got virus patching, they have network security,” Kneller confirmed at the event.

The main concern for businesses in the face of tightening laws is end-of-life data.

“What organisations tend to forget — where they look to drop the ball — is in relation to end-of-life in their equipment,” Kneller said. He continued, saying businesses tend to disregard the information on retired equipment and “chuck it on the scrap heap,” causing a number of security and environmental concerns.

With the changes making publication of breaches compulsory, businesses are looking to new technologies to stay ahead of the game and ensure their continued security.

The safe destruction of data is certainly a growing concern with regards to security and reliability of processes, proper reporting, and environmental impact. New market-leading technologies are emerging in Australia that will ensure total destruction of end-of-life data in a safe, mobile, and environmentally friendly way.

In light of the changing global digital landscape and the legislative changes in Australia, International Computer Security Day this November is a timely reminder to businesses about the importance of digital security awareness at all the various stages of data lifespan.

Upcoming events in Sydney & Canberra

We're very excited to announce the next couple of events we will be running in Australia. After introducing our service at our Melbourne event, we are now taking our mobile machine on the road to Sydney and Canberra!

Our Canberra event is particularly special as it is coinciding with International Computer Security Day. What better way to mark the day than to keep your data safe by securely destroying those old drives you have lying around!

If you would like to attend one of our Sydney and Canberra events, please email us at DataDestruction@avtelglobal.com to RSVP. We look forward to seeing you there!

Click here to read about our last event in Melbourne.

Invitation_Sydney_York Lane.jpg
Invitation_Canberra.jpg