PPE: Privacy Protective Equipment Series – Part 2: Data Security during COVID-19
In PPE Part One, we took you through the protection of Personal Information, COVID-style. The aim is not just continued compliance with your organisation’s obligations under the Privacy Act 1988, but to prepare and protect the security of personal information your organisation collects, uses and holds.
But in this unprecedented economic environment where the working landscape has changed so dramatically, data breaches are inevitable. Even if your organisation is doing everything it can to prevent loss or unauthorised access of personal information, you must know how to respond to a data breach if it happens.
PPE Part Two is all about data security regulation and what you must do to respond to a violation, including preparation of a Data Breach Response Plan.
Heightened Risk of Data Breaches Amid the Pandemic
Can you relate to any of these hypothetical data breach scenarios?
Deborah is a managing partner of a mid-tier financial services firm and in late February one of her senior analysts tested positive to COVID-19. Debbie (as she’s affectionately known to staff) acted immediately to close the office for cleaning and direct that employees stay home to quarantine and work where possible. The sudden change meant that there was a mad scramble for IT to set up equipment for staff at home to continue work. In the rush, several computers were overlooked for security software, the latest antivirus updates and high-end VPN’s, allowing staff to work on devices that are less hacker resistant.
Joseph works in customer service at a government health insurance organisation, guiding sick patients through the compensation claim process. Since many of his clients are elderly, it means he is on the phone a lot to discuss their claims. John’s organisation has implemented working-from-home measures since late March, so John has been taking and making these calls in the one-bedroom apartment he shares with his wife, Heidi (who is also working from home and, no matter where she moves to, can regularly hear sensitive health information being discussed by John and his clients).
The construction sector is still moving, so Edward is still working on site as a junior engineer. His boss has called Edward to say that he’s feeling under the weather with a sore throat and fever, so he needs to quarantine at home in case it’s #Rona. Edward’s boss is under pressure to keep the job moving ASAP in case the sector is shut down or economic activity slows, so he tells Edward how to remove admin permissions in the site office for the day to complete tasks without administrator oversight. Unbeknownst to Edward, the use of “unpatched” business computers allows hackers to load malicious files with admin privileges.
Karen is a credit officer working at her parent’s home during the pandemic. They’re older, her dad has diabetes and her mum is asthmatic, so Karen is keen to make sure they are looked after. Karen used a USB stick to transfer files from her work computer to her personal laptop so that she could keep working, but they have been really supportive about her working from home to care for her parents. Karen’s colleagues are also sending her new credit applications to her personal email. What Karen doesn’t know is virus software installed a keylogger on her laptop.
It’s not hard to see what each of these scenarios have in common. Bingo… data security.
COVID-19 has laid bare many gaps in data security for businesses and with a majority of employees now working from home, the IT landscape has changed dramatically. Some organisations may find that they are critically dependant upon technology and business systems are stretched. Conversely, others may experience deficiencies in their IT assets due to budgets and projects being cut to mitigate current economic conditions. IT departments are rushed to keep organisations working (and billing) and rapid addition of new hardware leaves little time for security. Assets are being left unsecured, whether purposely or unintentionally. Untrained (or simply unprepared) users are making mistakes. We are seeing an increase in staff using apps, collaboration platforms, software and devices that aren’t approved by their organisations. And with those gaps comes heightened risk of data breaches occurring.
Data Security Regulation
With the commencement of the Notifiable Data Breach Scheme (“NDB Scheme”) on 22 February 2018, not only is there an obligation on businesses to notify the regulator (the OAIC) about a “serious data breach” but also a requirement to have a Data Breach Response Plan.
A “serious data breach” is a violation of data security that can cause serious harm to individuals (even if that violation is not malicious like the above examples). Like when client information is accidentally lost or stolen, a database with personal information is hacked, or personal information is mistakenly disclosed. Serious harm resulting from a breach can take many forms – financial loss through fraud, psychological harm, identity theft, harm to reputation, or a risk of physical harm (such as domestic violence).
Under the NDB Scheme, organisations generally have 30 days to notify the OAIC of the breach.
The OAIC says that a Data Breach Response Plan is essential to facilitate a swift response and ensure that an organisation meets its legal obligations following a data breach. And in COVID, this sort of PPE is needed now more than ever.
PPE: Your Data Breach Response Plan
So how do you respond to a data breach and prepare a Data Breach Response Plan? Well, there are 4 key steps:
Step 1: Contain the Breach
- Ensure security systems are equipped to handle data breaches before they happen
- If a breach does occur, move immediately
- Take each potential data breach seriously
- Limit any further access or distribution of affected personal information
Step 2: Assess the Breach
- Deploy Incident Response Team – get legal advice!
- Gather and evaluate all possible information about the breach
- Understand the risks posed by the breach
- Consider whether your notification obligations are triggered
- If required, conduct a formal assessment within 30 days
- Can remedial action be taken at this time?
Step 3: Notify the Breach
- If your notification obligations are triggered by an eligible data breach, you may have to notify the Commissioner and affected individuals
- Consider what information should be provided in the notification
- How should the notification be given to affected individuals?
- Should any other person or entity be notified?
- Consider what other obligations you have under the NDB scheme
Step 4: Review the Breach
- Conduct a review of the data breach from start to finish
- What lessons have been learned?
- Consider what actions can be taken to prevent future data breaches
- How can your information security systems, privacy policies and handling procedures be improved?
- Should any changes be made?
- Document the review
What NOT to do:
- Don’t destroy evidence in step 1 (contain) that may be valuable in identifying the cause of the breach!
- Don’t ignore or delay!
- Don’t assume whether or not it’s a real data breach – assess!
- Don’t omit important people or information from the notification!
- Don’t skip the review or its documentation!
- Don’t forget the data breaches of your suppliers!
How to Prepare for (and Respond to) Data Security in Your Organisation
Together with the OAIC, we have a number of recommendations that you can take from this article back to your team and business:
- Keep up to date with the latest advice from the Australian Cyber Security Centre;
- Secure devices such as mobile phones, laptops, data storage devices and remote desktop clients;
- Make sure all devices, Virtual Private Networks and firewalls are up to date with the most recent security software. Better yet, enable remote wipe of computers that are compromised. Work with your IT department or provider on this one;
- You need a plan for how to deal with any data breach. If you need help creating one, reach out to a professional;
- In your Data Breach Response Plan consider template letters, website notifications, email notifications, an emergency hotline, a press release and engaging external consultants to review your process and security safeguards;
- Think of your Data Breach Response Plan like a fire drill – have a team organised and practice your proposed response;
- Don’t forget your suppliers – in this cloud-based world your data could be held anywhere. If the storage of records is outsourced to a third party, then your organisation could be responsible in the event of a data breach by that supplier.
- Know how your suppliers propose to manage a data breach. Have they had data breaches in the past? Have they a record and reputation for trustworthy services? Do you need to ensure your contracts will protect your company in the event of a breach?
- Remind staff to only use trusted sources of information and to be wary of scams;
- Help your staff to know and implement proper processes while at home, including assessing their home network’s security, avoiding use of portable storage devices that can be easily misplaced, securing devices when not in use, only using trusted wi-fi and using strong passwords;
- Don’t forget to regularly de-identify your data. If you have a data breach incident and your data is years old, you may be forced into advising far more affected parties than strictly necessary. Regular cleansing of the database will ensure any data breach is limited only to current customers;
- Don’t forget about cyber insurance, which can give you a further tool in your risk management kit. New policies may not be issued during the pandemic BUT do check your current policy if you have one.
For more information, contact Holly Jackson