Online privacy: what’s at risk?
Hall & Wilcox has been working with cyber security company CTRL Group on a number of privacy-related initiatives. This article is co-written by Hall & Wilcox privacy and employment law experts Alison Baker and Iona Goodwin, as well as cyber security specialists Sahand Bagheri (CTRL Group) and Fergus Brooks (The Cyber Advisory Practice, a CTRL Group advisor and industry partner).
Alison Baker was also interviewed by Vesta Gheibi (CTRL Group) who leads ‘Cyber in Business’ a cyber security information and multimedia hub. Alison spoke about privacy and data protection for business.
The last decade saw an explosion in the amount of data entrusted to third parties with a corresponding explosion in instances of cybercriminals targeting personal information for profit.
The COVID-19 crisis has seen cybercriminals tailoring their attacks to take advantage of the crisis. This has included a dramatic increase in cyberattacks directed at businesses across a range of industries.
The Australian Cyber Security Centre reports that cybercriminals are distributing COVID-19 related SMS and email campaigns. The Australian Competition and Consumer Commission has reportedly received reports of losses from COVID-19 scams in Australia in the vicinity of $130,000. Some commentators have reported a 37% increase in hacking and phishing attacks. The true extent of malicious cyber activity is likely to be much greater as not all cases are reported.
In the context of COVID-19, with more and more of us working from home, and the increasing use of technology as a means of fighting COVID-19, including the Australian Government’s COVIDSafe contact tracing app, understanding privacy is more important than ever.
Working from home
Entities that are covered by the Privacy Act 1988 (Cth) (Privacy Act) must remember that the Privacy Act and the Australian Privacy Principles (APP) will apply when employees are working from home. In particular (but not only):
- APP 11 (security of personal information) mandates that entities must take active measures to protect the personal information they hold from misuse, interference and loss, as well as unauthorised modification or disclosure; and
- the Notifiable Data Breach scheme requires entities to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in the event of an eligible data breach.
Entities should consider how working from home impacts the way their employees handle personal information and conduct an assessment of potential privacy risks.
If privacy risks are identified, the business should put in place appropriate risk mitigation strategies.
Some factors that entities should consider in assessing risks arising from handling personal information where employees are working from home include:
- The nature of the entity’s privacy governance, culture and training – are employees privacy educated and sufficiently trained? Is the privacy policy fit for purpose?
- The level of IT security – do employees have secure remote access? Does the business use multifactor authentication for remote access?
- What measures are in place to prevent other persons accessing personal information that an employee may access remotely?
- Plan for data breaches – is there a response plan in place to deal with data breaches?
Here are some specific recommendations for reducing your risk.
Data classification
The key to risk reduction is an entity understanding the nature and location of the data it holds that may be at risk. To do this, data should be classified by sensitivity. There is little point enhancing security measures on data that can be deemed public, however keeping secure sensitive and/or confidential data is essential. The first step to data security is to undertake a data classification exercise.
A data classification exercise examines the critical data groups within your organisation. Through workshops, innovative data discovery tools and a security evaluation platform, entities can identify critical data within their environment, where it is stored, and the controls and processes wrapped around it. The value of conducting a data classification exercise is that it will give an organisation an advantage in responding to any breaches, because it will be able to quickly identify the nature of a data breach and respond accordingly.
Penetration testing
Once data has been classified and storage security identified, it is important to test what network users (and thus cybercriminals if they find a way in) may be able to find and copy. CTRL Group recommends scanning your assets for vulnerabilities and thoroughly testing any vulnerable systems. Many data breaches are a result of cybercriminals gaining access to the organisation’s environment and performing reconnaissance to find vulnerable systems. Regular external and internal vulnerability and penetration testing, combined with swift remediation of any issues, are key defensive techniques to keep sensitive data secure.
Cyber security strategy and incident response
Once data classification exercises and system testing is completed organisations can identify their vulnerabilities and build and modify their cyber security strategy with a focus on data privacy and information security. The high percentage of reported breaches caused by human error underscore the need to improve privacy and security awareness of all staff. This can be achieved through an interactive program of awareness training.
Undertaking the measures set out above and having a robust cyber security strategy will improve your organisation’s ability to protect the privacy of the data it holds. However, there will always be risk of a data breach due to unforeseen circumstances. Given this, organisations should be prepared to respond to a data breach by response planning and scenario testing. Incident simulation exercises also amplify a culture of ‘privacy and security first’, which is crucial as pools of sensitive data continue to grow. Handling a data breach well will reduce the potential negative impact to the organisation including interest from regulators and damage to brand and reputation.