The cost of privacy breaches is threefold - trust, reputation and money. And hacking isn't taken as an excuse.
Privacy breaches cause a loss of trust and cause significant damage to brand reputation.
Beyond this, the financial cost is significant. According to the IBM and Ponemon Institute’s 2015 Cost of Data Breach Study: Global Analysis the average total cost of a data breach for the 350 participating companies increased 23 percent over the past two years to $3.79 million. This excludes mega-breaches affecting millions of customers, such as those suffered by Target and Home Depot, which cost the companies much larger amounts.
And of course, then there are the legal consequences.
Organisations need to be aware of their responsibilities to conduct themselves in accordance with the 13 Australian Privacy Principles - these standards cover the handling, holding, accessing and correction of personal information. Cyber security remains a paramount aspect of compliance with these obligations.
The Australian Privacy Principles require organisations that hold personal information “to take reasonable steps to protect the information from misuse, interference and loss, and from unauthorised access, modification or disclosure.” This involves having strong IT security systems, updated staff training and regularly reviewed security processes. It is not enough to contract out these responsibilities – businesses remain responsible for the personal information they have collected and will need to ensure that their service agreements reflect this responsibility. Insurance policies should also be reviewed to ensure they cover both deliberate and negligent cyber mistakes and also contain appropriate cyber management expenses.
Data breaches may occur as a result of a laptop being misplaced, an accidental coding error, a file being sent to the wrong recipient, or a database being hacked. Security measures need to be in place to avoid the likelihood of data breaches.
If organisations breach their privacy obligations, the Privacy Commissioner is able to make determinations, accept written undertakings that will be enforceable through the courts, or apply for civil penalty orders which can range up to $340,000 for individuals and $1.7 million for companies.
The Australian Privacy Commissioner recently found that at the time of a hacking incident, Cupid Media failed to take reasonable steps to secure personal information it held by not having password encryption processes in place. Hackers had gained unauthorised access to Cupid Media’s webservers and had stolen the personal information of approximately 254,000 Australian Cupid site users. According to the Commissioner, being hacked is not an excuse for a data breach. Hackers are drawn to large depositories of personal information like bees to honey. The appeal to hackers will be minimised if entities comply with their statutory obligations and destroy personal information that is no longer required.