[BreachExchange] Data protection for small entities

[Audrey McNeil]

http://www.smh.com.au/small-business/smallbiz-tech/data-protection-for-small-entities-20160510-gory59.html

Recent major data security scandals include the leaked Panama Papers
database of more than 200,000 shell companies. This cast aside the veil of
confidentiality over the arrangements of many high profile local and global
business people. These events shine a light on the importance of data
safety, especially for small businesses.

Small businesses are embracing the flexibility and efficiency gains
technology brings. Today's climate of rapidly developing technology,
together with increasingly paperless offices, means considerable business
information is stored online. Data protection is now a material issue for
even the newest and smallest online business.

What obligations apply to Australian SMEs?

Customers are increasingly concerned about data protection. But legal
obligations are not straightforward for small businesses. Privacy,
data-matching, spam and surveillance laws impose a complex matrix. There
are additional laws for telecommunications and health businesses. Small
businesses need to chart a viable course through the requirements, to meet
their legal obligations and the expectations of customers.

Legal obligations

The Privacy Act 1988 (Cth), Spam Act 2003 (Cth), Telecommunications Act
1997 (Cth) and several pieces of health legislation are some of the key
laws that impose data protection obligations.

The Privacy Act and the Australian Privacy Principles (APPs) set out data
security and privacy obligations. The obligations apply to businesses that
fall under the umbrella of an "APP entity". This includes all private and
not-for-profit organisations with an annual turnover of more than $3
million with certain exceptions (private health service providers are
considered an APP entity regardless of turnover).

The APPs outline how businesses must handle, use and manage personal
information. There are stricter obligations for sensitive information such
as information about an individual's health, race, ethnicity, religious
beliefs and sexual orientation. For example, businesses must not collect
sensitive information about an individual unlessthe individual has
consented andthe information is reasonably necessary for the entity's
functions.

The Telecommunications Act 1997 (Cth) imposes restrictions on the use and
disclosure of telecommunications and communications-related data.

The Spam Act 2003 (Cth) restricts businesses from using personal contact
information to send unsolicited commercial electronic messages. One of the
first Spam Act case involved a business sending in excess of 213 million
emails. The company was fined $4.5 million and the managing director was
fined $1 million.

Practical steps

Businesses need to install security safeguards and take reasonable steps to
protect the personal information they hold. This includes taking reasonable
steps to protect information from misuse, interference, loss, unauthorised
access, modification and disclosure. Under thePrivacy Act, businesses are
required to destroy or de-identify personal information that is no longer
needed.

Reasonable steps include checking what information your business collects,
conducting a risk assessment and a privacy impact assessment, developing
data breach policies and response plans, training staff and installing
technology safeguards.

Reasonable measures to prevent data breaches include grading information by
sensitivity, imposing online access restrictions, continuous monitoring and
review of data security. Businesses also need procedures to deal with data
security breaches.

The Australian Information Commissioner can investigate breaches. Serious
and repeated interferences may lead to civil penalties including fines.

Impending new obligations

The Government has foreshadowed legal changes that will increase the legal
obligations for businesses. Currently, data breach notifications are not
mandatory. The Government released a draft serious data breach notification
bill in December 2015. The amendments will require all APP entities to
notify the Federal Privacy Commissioner and individuals of serious data
breaches.

SME risks and solutions

Small and medium businesses can be particularly vulnerable to data
breaches. They face the same data security risks as large corporations,
however they are unlikely to have the same budget to implement high-level
security protection.

If an SMEs is an APP entity (under the Privacy Act) it has a legal
obligation to take reasonable steps to protect customer personal
information. Even if an SME does not fall within the definition of an APP
entity, customers expect a certain standard of data security and privacy.
One data breach can result in far reaching consequences, including loss of
customers and reputation.

SMEs should periodically review what information is collected and how it is
stored to ensure there are adequate protections in place. New technology
may be efficient, however SMEs should understand the risks and implement
sufficient security safeguards.

Businesses need to consider internal and external data protection. Is
access to confidential information and trade secrets limited to only a few
trusted employees? Is access to sensitive information limited to only those
who need to know? What about external risks? Many SMEs stored data locally
in the past. It is increasingly common cloud-based solutions due to the
ease, flexibility and potential cost-savings of such systems. Cloud-based
systems are exposed to different risks and can be more susceptible to
hackers.

Without reliable data security safeguards, SMEs risk data breaches that
could result in loss of crucial business information and customer trust and
goodwill. In a world where privacy and safety of personal information has
become an expectation, it is crucial than data security is taken seriously.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160510/663bd014/attachment.html>