Thinking | 1 June 2020

Online privacy: what’s at risk?

Hall & Wilcox has been working with cybersecurity company CTRL Group on a number of privacy-related initiatives. This article is co-written by Hall & Wilcox privacy and employment law experts Alison Baker and Iona Goodwin, as well as cybersecurity specialists Sahand Bagheri (CTRL Group) and Fergus Brooks (The Cyber Advisory Practice, a CTRL Group advisor and industry partner).

Alison Baker was also interviewed by Vesta Gheibi (CTRL Group) who leads 'Cyber in Business' a cybersecurity information and multimedia hub. Alison spoke about privacy and data protection for business.

The last decade saw an explosion in the amount of data entrusted to third parties with a corresponding explosion in instances of cybercriminals targeting personal information for profit.

The COVID-19 crisis has seen cybercriminals tailoring their attacks to take advantage of the crisis. This has included a dramatic increase in cyberattacks directed at businesses across a range of industries.

The Australian Cyber Security Centre reports that cybercriminals are distributing COVID-19 related SMS and email campaigns. The Australian Competition and Consumer Commission has reportedly received reports of losses from COVID-19 scams in Australia in the vicinity of $130,000. Some commentators have reported a 37% increase in hacking and phishing attacks. The true extent of malicious cyber activity is likely to be much greater as not all cases are reported.

In the context of COVID-19, with more and more of us working from home, and the increasing use of technology as a means of fighting COVID-19, including the Australian Government’s COVIDSafe contact tracing app, understanding privacy is more important than ever.

Working from home

Entities that are covered by the Privacy Act 1988 (Cth) (Privacy Act) must remember that the Privacy Act and the Australian Privacy Principles (APP) will apply when employees are working from home. In particular (but not only):

  • APP 11 (security of personal information) mandates that entities must take active measures to protect the personal information they hold from misuse, interference and loss, as well as unauthorised modification or disclosure; and
  • the Notifiable Data Breach scheme requires entities to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) in the event of an eligible data breach.

Entities should consider how working from home impacts the way their employees handle personal information and conduct an assessment of potential privacy risks.

If privacy risks are identified, the business should put in place appropriate risk mitigation strategies.

Some factors that entities should consider in assessing risks arising from handling personal information where employees are working from home include:

  • The nature of the entity’s privacy governance, culture and training – are employees privacy educated and sufficiently trained? Is the privacy policy fit for purpose?
  • The level of IT security – do employees have secure remote access? Does the business use multifactor authentication for remote access?
  • What measures are in place to prevent other persons accessing personal information that an employee may access remotely?
  • Plan for data breaches – is there a response plan in place to deal with data breaches?

Here are some specific recommendations for reducing your risk.

Data classification

The key to risk reduction is an entity understanding the nature and location of the data it holds that may be at risk. To do this, data should be classified by sensitivity. There is little point enhancing security measures on data that can be deemed public, however keeping secure sensitive and/or confidential data is essential. The first step to data security is to undertake a data classification exercise.

A data classification exercise examines the critical data groups within your organisation. Through workshops, innovative data discovery tools and a security evaluation platform, entities can identify critical data within their environment, where it is stored, and the controls and processes wrapped around it. The value of conducting a data classification exercise is that it will give an organisation an advantage in responding to any breaches, because it will be able to quickly identify the nature of a data breach and respond accordingly.

Penetration testing

Once data has been classified and storage security identified, it is important to test what network users (and thus cybercriminals if they find a way in) may be able to find and copy. CTRL Group recommends scanning your assets for vulnerabilities and thoroughly testing any vulnerable systems. Many data breaches are a result of cybercriminals gaining access to the organisation’s environment and performing reconnaissance to find vulnerable systems. Regular external and internal vulnerability and penetration testing, combined with swift remediation of any issues, are key defensive techniques to keep sensitive data secure.

Cybersecurity strategy and incident response

Once data classification exercises and system testing is completed organisations can identify their vulnerabilities and build and modify their cybersecurity strategy with a focus on data privacy and information security. The high percentage of reported breaches caused by human error underscore the need to improve privacy and security awareness of all staff. This can be achieved through an interactive program of awareness training.

Undertaking the measures set out above and having a robust cybersecurity strategy will improve your organisation’s ability to protect the privacy of the data it holds. However, there will always be risk of a data breach due to unforeseen circumstances. Given this, organisations should be prepared to respond to a data breach by response planning and scenario testing. Incident simulation exercises also amplify a culture of 'privacy and security first', which is crucial as pools of sensitive data continue to grow. Handling a data breach well will reduce the potential negative impact to the organisation including interest from regulators and damage to brand and reputation.

Contact

Alison Baker

Alison has more than 20 years’ experience in a wide-ranging employment practice, advising private sector and public sector clients...

Iona Goodwin

Iona has experience in assisting clients with both litigious and non-litigious employment and workplace relations matters.

You might be also interested in...

Employment & Workplace Relations | 1 Jun 2020

New Victorian direction: employees must work from home, employers face penalties for non-compliance

New Stay Safe Directions and Restricted Activity Directions take effect in Victoria today, replacing the ‘5 reasons to leave home’ with a broader directive that Victorians can leave home for any reason, subject to certain restrictions. One of these restrictions is that a person should only leave home and return to the workplace if it’s not reasonably practicable for them to work from home, or from another suitable location. Our Employment team outlines what employers need to know.

Employment & Workplace Relations | 5 Jun 2020

Gendered effects of COVID-19: the hidden consequences of operational change

During COVID-19, women are more likely to be stood down, made redundant or otherwise disadvantaged as compared to men. Why? Firstly, women are overrepresented in industries that have been hit the hardest, including travel and tourism, childcare, beauty and retail.