“We take your privacy seriously.”
Not since the advent of electronic banking finally rendered obsolete the laughable phrase “your cheque is in the mail” has there been a phrase which is more likely to induce me to – depending on my mood – engage in exaggerated eye-rolling, mutter rude things under my breath, or simply shout “liar liar pants on fire!”
News this week that hackers stole information about 50 million Uber passengers (and 7 million drivers) from around the globe has put data breaches – and their repercussions – squarely on the front page.
What is particularly galling about the Uber example was not just the failure of information security, but the immoral corporate behaviour that followed. Instead of telling their customers or drivers (or indeed privacy regulators), Uber hid the news for a year, and paid off the hackers $100,000 to keep quiet. If you thought the job of the privacy and security team is to keep things quiet in order to protect the firm’s reputation, you would be wrong. Uber has now sacked its chief security officer and one of his deputies, for failing to properly disclose news of the data breach. Privacy regulators around the world are now asking questions.
How does this stuff happen? I don’t mean ‘how did the hackers get the data?’ I mean: Why are incredibly wealthy and powerful companies getting away with treating our personal information so shabbily that we are exposed to risk in the first place?
As security researcher and blogger Troy Hunt argues, there has been minimal accountability for data breaches because there has not been enough of a financial disincentive for companies to truly care about privacy and security. Until now.
The consequences of a data breach will get much, much more serious in 2018. Here in Australia, our notifiable data breaches scheme kicks off in February, with maximum civil penalties of A$2.1M for a failure to properly follow the notification requirements. Then in May the GDPR commences, with its seriously hefty fines of up to €20M, or 4% of a company’s annual global turnover, whichever is the greater. Even though it is European data protection law, its reach can extend to Australian organisations.
Things are ramping up in the US too. A failure to notify the appropriate regulator and affected individuals within the specific timeframe landed an Illinois surgery in hot water earlier this year. For delayed reporting on the loss of hard copy records about 836 patients, the US Department of Health and Human Services levied its first fine – of US$475,000 – for non-compliance with data breach notification requirements.
Of course, fines from privacy regulators are not the only cost incurred for a company dealing with the fallout from a data breach. Following an incident earlier this year in which the personal information of more than 145 million people in the US and the UK was potentially exposed, the credit bureau Equifax lost $87.5m in the first quarter after the breach. That cost included legal and consulting fees, as well as costs related to the services offered to people whose data was compromised. Its quarterly profits also dropped by 27%. (And, importantly, in the wake of the Equifax breach, lawmakers in the US are finally talking seriously about the need for broad-based data protection legislation. Hurrah!)
Meanwhile Target’s 2013 data breach, in which hackers were able to steal information about 40 million credit and debit cards used by customers in its stores, had cost it a staggering US$202M by May 2017 – with a consumer class action still outstanding.
So what might cause the kind of data breaches which, come 2018, will need to be notified?
Leaving aside examples of malicious hacking and deliberate misconduct by disgruntled employees, let’s review a few other scenarios, which are disturbingly common:
- Putting databases or backups on a publicly-facing website. This was the cause of the Red Cross data breach affecting more than 1M people in Australia, the Capgemini leak of Michael Page recruitment data, as well as the leak of more than 43,000 pathology reports in India, and the personal information about more than 198 million American voters from the Republican National Committee.
- Leaving unsecured AWS ‘buckets’ of data in the cloud. This has happened most recently to the ABC, as well as Accenture, Viacom and a recruitment company holding data on military veterans and others holding security clearances. Plus to a contractor holding staff records from AMP, the Department of Finance, the Australian Electoral Commission and others.
- Allowing sensitive data to be stored on unencrypted mobile devices. A paediatric hospital in Texas, contrary to prior security advice, failed to deploy encryption or other measures on all of its mobile computing devices. So no surprise when a staff member left behind at an international airport an unencrypted non-password protected BlackBerry, containing the electronic health records of 3,800 patients. Still not learning the importance of information security, a few years later the same hospital suffered the theft of an unencrypted laptop from an unsecured work area; the laptop contained the electronic health records of 2,462 individuals. The hospital was fined US$3.2M for the two instances providing evidence of their failure to comply with data security rules.
(And if those examples of insecure electronic health records from the US scare you, don’t imagine that things are magically any better here. The Chief Information Security Officer of the Australian Digital Health Agency, the agency charged with implementing the My Health Record, said of GP clinics here: “they’re going to be sitting on a Windows XP machine that has vulnerabilities up the kazoo”.)
So, dear privacy and infosec professionals, I hope you are already mentally creating your list of ‘things I need to check that our organisation doesn’t do’.
But that’s not all of it. Preventing data breaches is not just about the tech. It’s about people. All of your people. It’s about the things that you do do.
Because just like US President Trump leaving the key in a classified lock-bag in the presence of non-security-cleared people, we all have our bad days. (Hands up anyone who has ever accidentally emailed something to the wrong person.) Research from both the UK and the US suggest that human frailties – ignorance, laziness, carelessness – are the root cause of more than half of all data breaches.
So here’s some more, sadly common, examples:
- Failing to properly redact government documents before their public release. This year’s examples alone include the accidental publication of the private mobile phone numbers of hundreds of federal politicians, former prime ministers and senior political staffers; the publication by Comcare of the personal details of an injured worker; and the publication of information contained in hundreds of confidential submissions from families of children who have self-harmed and been the victims of bullying.
- Mishandling the mailout or other transmission of records. There have been examples from Victoria of posting confidential children’s court records to a violent family member; or in NSW where 2,693 photo ID cards, including driver licences and gun licences, were sent to the wrong people.
- Poor disposal of paper records. Examples include the medical letters about more than 1,400 public and private patients found in a public bin in Sydney after being dumped by a contracted transcription service provider; or the private hospital medical records found lying in the street in Victoria.
- Leaving a laptop in a parked car. This happened to a company providing mobile monitoring of patients with cardiovascular disease. When the employee’s laptop, containing health information about 1,391 patients, was stolen from their parked car, the company was fined US$2.5M.
So what’s a privacy officer to do?
The privacy team should be working hand-in-hand with the information security team, to prevent data breaches. The privacy messages to staff need to include: don’t collect more personal information than we need; only keep it for as long as we genuinely need it; and don’t use it for secondary purposes without permission. The less personal information you hold, the less risk you need to manage for.
(And yes, sometimes that means saying to the CEO or venture capitalists: No, we should not be collecting intrusive location data about our customers – or, you know, littering the streets with dockless share bikes – just because we might find a way to monetise our customers’ personal information later on.)
You also need to embed a culture of good data security, at every level in the organisation. Obviously you need good policies and procedures, and visible enforcement of those policies and procedures. But it’s more than that: staff need training. And reminders. And more training. And more reminders. And then you can make sure that your tech is delivering on your security promises. (For one example of data loss prevention tech, see the White Paper on data classification we wrote for our client janusNET.)
Oh, and don’t forget your contractors: third party involvement can be the weakest link in the security chain. A study of data breaches by the Ponemon Institute and IBM found that third-party involvement was the top ranking factor that led to an increase in the cost of a data breach. A recent example: customer data leaked from a supplier to Domino’s Pizza. (Stop press: just this morning, news of another data breach, involving data about 8,500 current and former staff of the Department of Social Services, blamed on a third party contractor.)
Of course, while hoping for the best you still need to plan for the worst. We all know that prevention is better than the cure … but it’s smart to have a first-aid kit, just in case.
That same study by the Ponemon Institute found that the best steps you can take to lessen the consequences of a data breach are the steps you take before the breach even occurs: staff training, and having a data breach response plan in place.
So – are you ready for 2018?
You should be doing your upmost to prevent data breaches anyway – but once the new Australian and European regimes of mandatory notification kick in, the consequences of failing to do so will become much more significant.
To help you get ready, we will shortly be launching some new privacy compliance tools, including a template Data Breach Response Plan you can download and easily customise for your organisation, as well as a template Privacy Risk Assessment Framework. Look out for those on our website soon.
In the meantime, if you need privacy awareness staff training to help spread the message throughout your organisation, we have standard and customised eLearning options available. Our training content has already been updated to incorporate the new data breach notification requirements. And of course, we’ve also got our more specialised eLearning modules for privacy professionals, about identifying and mitigating privacy risks. (Plus some more modules for privacy pros, coming soon.)
Time to get your skates on. 2018 will be here before you know it.
Photograph (c) Shutterstock