Start-ups that hastily stick a privacy statement on their website and think that they’ve covered themselves legally should think again.
Businesses not up to speed with their obligations could cop fines of up between $340,000 and $1.7 million for breaching the new Privacy Amendment Act. It’s a change you need to be across.
The Privacy Commissioner will also have the power to conduct performance assessments of private sector organisations to determine if they’re handling personal information in accordance with the new rules. The changes come into play in March next year.
Privacy is a major issue that many in business don’t take seriously. This is despite the fact that the professional reputation of a business can be severely damaged if confidential information falls into the wrong hands.
A recent survey of commercial rubbish bins in Sydney found that 11% contained personal information readily accessible to people walking past, including identity thieves.
Of the more than 80 businesses surveyed, bank branches, lawyers and doctors’ offices had thrown confidential information in the rubbish.
The investigation, commissioned by the National Association for Information Destruction-ANZ, took place in January and February this year. A licensed private investigator casually examined the contents of publicly accessible rubbish bins used by businesses with an established responsibility to protect client data.
Among the dozen or so of the most concerning finds was a report listing an account holder’s information, including name, address, social security number, credit card number, account balances and credit limits.
The investigator also found detailed documents about a legal settlement outside a real estate office.
Melbourne privacy lawyer Kent Davey of TechComm Legal says businesses need to start preparing for the changes to the Act now, with new requirements potentially onerous for a business.
Davey has been advising clients on all aspects of privacy law for two decades and says businesses thinking that a privacy statement protects them should think again. Employees will require training to ensure the company privacy statement is being followed and better systems will need to be implemented by businesses, Davey says.
Training around privacy requirements will also be paramount; with figures from Trend Micro revealing that up to 80% of all data loss is caused by human error, either sending out confidential or sensitive information to the wrong people or in an unsecured way.
Davey says: “Businesses will also need to look at what personal information they’re collecting. You can’t just keep personal information on customers for the sake of it. If you don’t need it to run your business, you shouldn’t be collecting or storing it.”
“Credit card details and a customer’s personal preferences need to be stored safely if required, or destroyed if no longer needed.”
Adam Biviano, senior manager, strategic products of security vendor Trend Micro, agrees that businesses need to question if they really need to collect all the information they collect.
Licensed clubs that scan a driver’s license are a good example. Biviano says: “While there are time savings associated with this approach, are they actually painting a target on their heads for someone to want to steal that information?”
Davey says that businesses need to assess various aspects of company security including the adequacy of firewalls, virus protection, and software encryption and computer passwords, locks and the use of company computers off-site, he says.
“Where I see many in business fall down is around destroying information they no longer require. The quality of your data also needs to be checked regularly.”
And while cloud computing has been a revolution for start-ups, there is also the potential for privacy leaks.
Joel Camissar is the practice head of data protection for computer security vendor McAfee.
People working in businesses that are responsible for managing customer’s personal information (mostly IT managers) reported in a recent McAfee survey that employees save data to file share in the cloud such as Dropbox or YouSendIt.
“These cloud-based services lead to a higher change of a data breach since they can’t be access from the employee’s personal computing devices,” he says.
Document shredding will be increasingly important under the changes.
Document destruction company Shredlock offers secure services based on the most stringent privacy legislation in the world.
Shredlock director Tim Horton urges businesses to implement a ‘shred all’ policy in place, no matter what type of business you operate.
Shredlock is one of a handful of independently audited document destruction companies in Australia. It shreds documents on site at centres across the country and is adding to its fleet of shredding trucks in the lead-up to the increased emphasis on privacy.
“Even with the best intentions and training, employees can easily put sensitive documents in the general recycling rather than the secure shredding bin without understanding the potential risks,” Horton says.
Biviano says the new laws also mean that the public will have greater understanding of how their personal information is handled and be able to enquire about how the data is managed.
“Start-ups need to be careful not to cut corners. It’s always easier to set up systems property at the start than trying to retrofit a broken system later,” he says.
“If you cannot afford to secure the information you collect, then you cannot afford to start your business.”
Biviano says the philosophy toward privacy should be that you treat data you hold on other people and businesses how you would like others to treat your most private secrets.
“I know business owners are busy people, but under these new laws, privacy is important enough for them to take an active interest in ensuring that they are in compliance with the law.”
A privacy matter
Think your business is too small for computer hackers to worry about? Think again. Size is irrelevant when it comes to online crime and fraud. In fact, smaller businesses are easier targets because of stretched IT resources.
Businesses should:
- Teach employees and re-tech them about your security requirements. Write it, teach it and enforce it
- Require strong passwords
- Enforce consequences
- Explain proper usage of a company-issued computer, including use of the internet
- Educate about email, including what should and shouldn’t be opened or forwarded
- Appoint someone employees can go to when they have questions about the policy or general computer security issues
Source: Trend Micro