How to Protect Your Business from Data Breaches

Author: Ian Aldridge, Progressive Legal

One phrase that is on everyone’s lips right now is “data breach.” 

Hackers have accessed the personal information of over 9 million Australians in the past 60 days alone. For context, the Australian population is currently about 25.75 million people. More than 1 in 3 Australians have been affected by these breaches.   

Businesses can suffer serious financial and reputational harms from privacy breaches and they can happen easily – The Australian Cyber Security Centre received one cybercrime report every 7 minutes in the financial year ending June 2022, as opposed to one every eight minutes for the financial year ending in June 2021.

While big names like Optus and Medibank grab headlines, it’s important to remember that the average cost to a business for a Business email compromise is $64,000 per cybercrime report. That’s a lot for one small business to handle.   

Consumers are reconsidering their privacy expectations, and business owners need to be prepared to collaborate with them on these expectations.   

We’ve previously discussed why your business needs a privacy policy and what it should contain.  This article will outline best practices, what to do if your business experiences a data breach, and the importance of having good policies and procedures in place.   

Best Practices to prevent data breaches

Cyber Security Awareness and Training for Employees

Businesses should make sure that their employees are trained in the latest security issues. While many businesses have had information about phishing attempts available to their staff for quite some time, scammers have become more sophisticated over time. This means scammers may target businesses using more detailed, sophisticated information, called “spear phishing.” Business owners should stay aware of phishing trends. This information is available from the Australian Cyber Security Centre here. 

In addition to defensive measures, businesses should make sure that employees know how to report a potential breach.  

Make sure your software is updated

Updates can prevent security issues and improve compatibility and program features. Software updates are necessary to keep computers, mobile devices and tablets running smoothly and they may lower security vulnerabilities.

Use strong passwords

Don’t share passwords; keep passwords secure – don’t write them down where others can get them; don’t let your web browser remember your passwords. 

Create strong passwords – see the ACSC for a guide here.

Use multi-factor authentication where possible. Multi-factor identification includes a combination of something you know (like a password), something you have (such as an authenticator app or a smartcard), and something you are (a fingerprint or other biometric).

Back up your data regularly

This includes customer information, financial information, and other critical resources for your business.  This may include backing information up to an external USB drive, cloud storage, or both.  The backups should be disconnected and stored separately from computers – preferably at least one copy should be kept offsite.  

Develop a Working from Home Policy

A Working from Home Policy will set out amongst other things how these devices are to be used. With more people working in hybrid configurations or completely from home, be sure to have clear expectations around devices. This includes making sure that devices are updated before being connected to the business network, limiting what devices can be connected to your network, or other steps to reduce your risk.

Avoid public and open Wi-Fi networks

If someone must use Wi-Fi when they are away from the office, it’s best practice to use mobile data. If your office has a Virtual Private Network (VPN), that’s even more safe. 

What to do if my business has a breach

Don’t panic! While we can’t give technical advice about what to do next, we can help you with the legal side of things. 

Go back to your privacy policy to see if you have any guidelines in that policy to help you.  If you don’t have a privacy policy and need help, reach out to us. 

You’ll need to review what happened to see if what happened is a Notifiable Data Breach (“NDB”).   

What is a Notifiable Data Breach?

The breach will be an NDB if: 

1. There is unauthorised access to personal information or disclosure of personal information held by your business (or information is lost in circumstances where unauthorised access or disclosure is likely to occur);
    
2. This is likely to result in serious harm to any of the individuals to whom the information relates;
    
3. Your business has been unable to prevent the risk of serious harm with remedial action. 

Generally, you’ll need to assess the following: 

1. How did the breach happen?
    
2. How long did the breach happen? Is it ongoing?
    
3. What information was exposed?
    
4. How much information was exposed?
    
5. Do you need to make a notification under the Notifiable Data Breach scheme?
    
6. What have you done to fix the breach/what will you do to prevent it in the future? 

Here is a link to a read-only NDB form for your reference so you know what information you’ll need to provide.  

You’ll also need to inform impacted individuals that their information may have been compromised. You will need the information above to guide these conversations with people.

Upcoming Changes in case of Data Breaches

The Albanese government has introduced legislation that will increase penalties for serious or repeated data breaches. Under the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (“the Bill”), companies with serious or repeated data breaches could incur penalties in the millions of dollars, being the greater of: 

• $50 million; 
• 3 times the value of the benefit a body corporate (and its related body corporates) obtained from the contravention (if a court can figure out that value); or 
• 30% of the adjusted turnover of the body corporate during the turnover period (a minimum of 12 months) of the contravention. 

Individuals with serious or repeated breaches could be assessed fines of up to $2.5 million. 

Further, the Bill introduces new powers for the Office of the Australian Information Commissioner (OAIC) to request information about actual or suspected data breaches or a company’s compliance with the Privacy Act’s eligible data breach regime.  The Bill does not include any provisions about how quickly the OAIC can request this information, and the OAIC may keep the materials for any necessary period to assess compliance.   

Under the Bill, the OAIC may also assess a business’s ability to follow the notifiable data breach scheme.   

What should my business do to be prepared

If you haven’t arranged for a privacy policy yet, please contact our team. We can provide you with a privacy polity to suit your business’s needs for a fixed fee. Prices available here.

If you need help from our privacy lawyers with for any related matters, please reach out to us via the contact form on this page or call 1800 082 083.