What is a data breach?
A data breach is an incident in which sensitive, protected or confidential data is potentially accessed, modified, viewed or misused by an individual unauthorized to do so. Data breaches may involve personally identifiable information (PII), trade secrets or intellectual property. A data breach may not involve just a single consumer having their identity compromised; it involves the unauthorised access of hundreds, thousands and sometimes millions of records containing personal information.
How often do data breaches occur?
At least one data breach occurs every week in Australia, with an average of 20,073 records lost or stolen per incident.1
Currently, the true scale of data breaches in Australia is unknown due to the lack of notification laws. Overseas experience suggests that unreported data breaches are far more common than people impacted are aware.
What are the implications to business?
Depending on the size of the data breach a business can be impacted in a number of ways. Some of the impacts are:
- Loss of valuable data
- Costs of remediation and third party litigation
- Costs of breach notification
- Reputational damage to brand and diminished consumer confidence
- Revenue impacts – customers switch to competitors, prospects more likely to choose competitors
- System and technological disruptions
- Changes to staff and management
In Australia, unlike many other countries, there has been no law requiring mandatory reporting of data breaches by organisations. This is soon to change with a draft bill released for consultation in December 2015.
This proposed change to privacy laws will require organisations to disclose a breach within 30 days if it concerns personal information and "there is a real risk of serious harm to any of the individuals" to whom the information relates.
When an organisation suspects a serious data breach has occurred it will have 30 days to assess whether it needs to notify affected customers. This notification must include a description of the data breach, the kind of information involved and how customers should respond to the incident. The Privacy Commissioner will also have the power to force organisations suffering a serious data breach but who have not notified customers to do so.
There are also stiff penalties with individuals facing fines up to $340,000 while organisations could face up to $1.7million.
How does a data breach happen?
Data breaches can occur in a number of ways:
- lost or stolen hardware including laptops, tablets, phones and removable storage devices, as well as paper records containing personal information
- storage devices being disposed of or returned to lease companies without the contents being erased. This can include hard disk drives and other digital storage media (integrated in other devices, for example, multifunction printers, or otherwise)
- databases containing personal information being ‘hacked’ into or otherwise illegally accessed by individuals outside of the agency or organisation
- employees accessing or disclosing personal information outside the requirements or authorisation of their employment
- paper records stolen from insecure recycling or garbage bins
- personal information mistakenly being provided to the wrong person, for example by sending details out to the wrong address, and an individual deceiving an agency or organisation into improperly releasing the personal information of another person
How to respond to a data breach?
Once your organisation has discovered or suspects that a data breach has occurred, it should take immediate common sense steps to limit the breach:
- Create an Action Plan
Gather your critical employees who will be involved in initial assessment and investigation/s, remediation/s and communication/s. Determine what other steps are immediately necessary. Agencies and organisations should assess the risks associated with the breach and whether there is a real need to assemble a team that could include representatives from appropriate parts of the agency or organisation and ensure that everyone understands their assigned responsibility.
Determine who needs to be made aware of the breach (internally, and potentially externally). In some cases it may be appropriate to notify the affected individuals immediately and convey what steps your organisation is taking to resolve the breach. Accepting responsibility and being transparent shows that your organisation values your customers’ privacy and security.
- Post-Breach Protection
Provide options for post-breach protection for customers whose personal information has been compromised. Credit monitoring or identity protection solutions are effective after the event. Many companies have been criticised for failing to act quickly after a hacking attack.
- Get Specialist Help
Bring in accredited computer forensics specialists to look through your logs to understand exactly what happened. Be patient with them – the preference is to be correct in your analysis of what occurred and the scale, rather than making an incorrect public statement straight away.
- Learn and Change
Learn from your mistakes. Implement updated technological solutions and processes to ensure that the same weakness cannot be exploited again. Develop an ongoing data breach response plan so you are not caught off guard if the same occurs again.
Equifax is able to help protect your customers in the event of a data breach. Our solutions can also be used as a precaution and be provided to staff to help protect your business.
Credit Monitoring and alerts
Credit monitoring and alerts provide customers with access to their credit report and provides them with ongoing alerts when certain changes occur on their credit report. Customers are quickly able identify any fraudulent activity from access to this information. This can include payment defaults, new credit inquiries, changes made to their address, or someone trying to apply for credit in their name as a result of identity theft. This helps customers protect themselves from financial loss and reputation damage.
Identity monitoring is helpful for monitoring non-credit related Personally Identifiable Information (PII). By monitoring online forums where stolen information is illegally traded, identity monitoring helps to protect a customer’s identity by alerting customers if this information is found to be compromised. Equifax's Identity Watch service continually monitors information such as credit and debit cards, bank accounts, passports, drivers licence, Medicare cards, phone numbers, email addresses, and eBay and PayPal accounts. If this information is found to be compromised the customer is alerted and provided with some steps to take to help protect their identity and diminish the risk of identity theft.
For more information
1 Identity Crime and Misuse in Australia. Australian Attorney-General’s Department. September 2015 https://www.ag.gov.au/RightsAndProtections/IdentitySecurity/Documents/Identity-Crime-and-Misuse-in-Australia-2013-14.pdf