Once more unto the breach?
Next month sees mandatory data breach notification requirements come into play. Are you ready?
There is no denying that there have been some high-profile data breaches – from the credit reporting agency Equifax’s exposure of highly-sensitive financial information to the Uber breach that saw 57 million drivers’ and passengers’ data (including that of Aussies) exposed and the breach covered up. But it isn’t just global corporations that are at-risk. Cyber security is an issue for any business that holds personal data.
The importance of having sound data protection protocols in place is coming home to roost for real estate professionals with the introduction of mandatory data breach notification requirements.
On 22 February the new Notifiable Data Breaches (NDB) scheme takes effect. The NDB requires all organisations covered by the Privacy Act 1988 to notify the Australian Information Officer and individuals likely to be at risk of serious harm of any data breach.
While most small businesses (those turning over less than $3 million per annum) are exempt from the scheme, any business operating a residential tenancy database must comply with the requirements imposed upon Australian Privacy Principle (APP) entities, who have an obligation under the Privacy Act (APP 11) to protect the personal information they hold.
Real estate agents/property managers will be required to comply with the NDB scheme, but only in relation to personal information held by the entity for the purpose of, or in connection with, the operation of a residential data base. The Office of the Information Officer defines a residential tenancy database as: “a database that stores personal information about individuals occupying residential premises as tenants and is accessible by a person other than the operator of the database or a person acting for the operator”.
A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure, for example when:
- a device containing customers’ personal information is lost or stolen
- a database containing personal information is hacked
- personal information is mistakenly provided to the wrong person
Failure to comply with the requirements can result in a range of consequences from public apologies, compensation payments and, for serious breaches or repeat offenders, civil penalties. Civil penalties are currently $360,000 for individuals and $1.8 million for bodies corporate.
As an agent you handle private information that is appealing to hackers who can use that information to make money or mischief. Regardless of whether your real estate business is subject to the new legislation or not, protecting your and your clients’ data is just good business.
To help keep data secure, look at employing these tips:
- Security software
Install security software that includes a firewall, anti-virus and anti-spyware on company-supplied and BYO devices. Always install the security updates/patches on all devices (if a single team member doesn’t update their devices, it can compromise your whole network). Run weekly anti-virus and malware scans. Many smartphones/devices have factory-installed security measures (such as encryption) that most users fail to use, so switch them on.
Regularly change them; don’t share them; use strong ones with a mix of upper and lower case letters, numbers and symbols; consider using passphrases instead; don’t use the same one for multiple devices/accounts. Use multi-factor authentication where possible.
Change the default password on your Wi-Fi router and hide the SSID (Service Set Identifier, most Wi-Fi modems and routers automatically and continually broadcast the wireless network name). Encrypt all inbound and outbound data. Secure your wireless network. Be careful when using public wireless networks and avoid making online transactions when using public or complimentary Wi-Fi. Consider using a VPN.
Make sure you regularly back-up all data using multiple platforms e.g. on a portable hard drive and to the cloud. Avoid storing sensitive information in the cloud (only use cloud services that encrypt your data and encrypt your data before uploading it to the cloud).
Ensure employees understand security basics – recognising cyber risks (including scams, spam and phishing), best password practices and handling confidential information. Create policies for cyber security and have regular audits to ensure there are no weak links.
Restrict administrator-level access for installing hardware and software. Only give employees access to the information/systems that they need to do their job. Don’t use USBs and external hard drives from an unfamiliar source. Be mindful of who has access to your system (employee BYO devices are leading sources for breaches). Secure your portable devices (lock them with a PIN and install all the right protection software) – data can be stolen in an instant without the device leaving your side. Securely store portable storage devices when not in use.
Data breaches can have serious ramifications for your business – financial, operational, legal, reputational – making risk mitigation a necessity. EBM’s Cyber Liability experts can help assess where your data security vulnerabilities lay, develop strategies to minimise risk with best-practice privacy protocols and discuss the options in transferring risk with insurance.