Why how you store data could make or break your business
-
Loading... - jake olivia
- 31 May 2022
- 295 Views
- 0 Like
- 0 Comment
It began with an old website that was no longer being used and ended with AA Traveller emailing hundreds of thousands of customers, telling them their personal information was in the hands of hackers.
The reason?
Setting aside the fact that cybercriminals are ultimately to blame, the AA never deleted the data on the decommissioned website. This allowed hackers to take the names, addresses, contact details and expired credit card numbers of customers who used the website between 2003 and 2018. In particular, there was a 2010 online survey that nearly 30,000 people responded to. The AA said those surveyed were at risk of being hacked by an overseas account.
On top of that, the breach itself happened in August last year. AA Traveller only found out this March. It made a public apology, acknowledged customers should have had their data protected and said it was "incredibly sorry".
But it's something Auckland-based IT services provider Vertech says could have been completely avoided. The company's founder and CEO, Daniel Watson, thought the AA would have had that data better secured than it did.
"[The survey] was 12 years old," he says. "Why were you still keeping it?"
Knowledge is power
The acting Privacy Commissioner Liz MacPherson says as the world continues to morph into a digital economy, data becomes more and more important.
For example, the more you know about a person, the more you can personalise services or products for them, increasing the chance they'll like it and, as a result, keep them coming back. MacPherson says personal information is being collected every day. According to the Privacy Act, the commissioner says personal information is "any information about an identifiable living human being, so anything that can tell us about a specific individual."
"There are all sorts of different things if you use that definition that are picked up as personal information - names, contact details, financial health records, purchase records, client details, client records, correspondence, employee records," she says.
So just how much information does the average organisation hold about us?
Vertech's senior systems engineer Peter Drum specialises in data and data governance and explains that it's complicated.
It depends on a whole range of factors, including the:
· Length of time the business has been running
· Scale of the business and the nature of the work they do
· Data retention of the business, this can be affected by things like legal requirements and whether acquired companies have different metrics for retaining data
"There's not sort of one guiding figure that you might say for every three staff you have 200 gigabytes of data or something nice and simple like that," says Drum.
Watson says anecdotally, clients seeking him out know they have issues, but they're not sure what they are.
"Very few companies come to us and say 'hey say check us out' and we have a look and we say 'oh nothing to do here, you're good'. Essentially, from our perspective, it's a vast market but at the same time that's quite worrying. We've all become digital packrats."
Drum says that's because the storage of data itself has changed. There's simply no limitation on how much you can store because companies don't need vast rooms for physical records.
"You can keep huge amounts of data, the limitation is not cost anymore, the limitation is really do you need it?" he says.
"That can be a hard decision or a low priority decision because there are other concerns that business owners have."
But choosing to delay dealing with data storage can come back to haunt companies. The AA example is the most recent warning but surely won't be the last.
Under the Privacy Act, agencies must take reasonable steps to avoid security breaches and protect customer data privacy.
MacPherson explains what the threshold is. "Its a case by case situation," she says.
"[But] we would be expecting agencies to understand the nature of their data, the nature of their data flows and to have put in place reasonable protections externally, making sure if you use software that it's patched regularly, passwords, authentication, making sure usb sticks are encrypted, all those sorts of things."
Breaking the law
Under the Privacy Act, there are two avenues for the Privacy Commission to investigate a company around breaches. First, an individual can make a complaint if they feel a business has breached their privacy or if the company refuses to give them the personal information they hold on that person.
"We look at, first of all, has there been a breach of their privacy and secondly whether there's been harm caused," says MacPherson.
"If we find that there has been interference in someone's privacy we can recommend financial compensation. We don't actually issue fines [ourselves], but if a privacy complaint then goes onto the human rights review tribunal, an agency can be liable for damages up to $350,000 per privacy complaint."
The second way the Privacy Commission can investigate a company is through a new power under the Privacy Act 2020. The Privacy Commission can take proactive action where it believes there are systemic issues or failures regarding privacy breaches. After the initial investigation, MacPherson says they try to educate the organisation.
"Often that's really successful," she says.
"People go 'oh gosh I never realised that this was what I was supposed to do' and they put it right. Sometimes we have to give people warning letters which effectively say, if you don't put this right then we're potentially going to follow up with a compliant notice or we could take compliance action."
MacPherson says there are multiple different points where companies can turn things around without being taken to court.
"Prosecutions take a long time so our aim is to actually get the behaviour shifts early and we think it's in the best interest of agencies to change their behaviour," she says.
However, if it does land in court, the maximum penalty for a criminal offence, such as failing to comply with a compliant notice, is $10,000.
Since December 2020, there's also a mandatory requirement for businesses to disclose serious harm privacy breaches within 72 hours of becoming aware of it. But MacPherson says the legal implications aren't the only consequences companies should consider.
"The biggest issues for a company is actually the reputational damage that comes from having a breach, be it an internal or an external breach. The reputational damage is the thing that will stay with the company and it can mean the customers lose confidence," she says.
"Trust is something that takes a long time to build and it's very easy to lose." Read More…
