Published on the 06/03/2018 | Written by Empired
Notifiable data breach (NDB) laws are now a reality for Australian organisations and Europe’s General Data Protection Regulation (GDPR) is coming in May…
For a long time, organisations have, to some extent, been able to get away with knowing about security compliance breaches but not acting on them. However, with trends such as cloud changing the nature of security borders and identity becoming the new security perimeter, personally-identifiable information (PII) is now front and centre for organisations.
Even if you’re yawning at NDB and GDPR and thinking “it doesn’t apply to us”, NDB and GDPR are just the beginning.
“Businesses of all sizes can expect some difficulties as the new legislation changes the way their organisation need to assess, manage and respond to risk.”
NDB and GDPR are the outcomes of a paradigm shift in how privacy is viewed on the priority list of consumers, businesses and government. People are more likely to trust and be loyal to organisations when they understand how these organisations treat their personal information and when they have faith that these organisations are taking all possible steps to protect their privacy.
Some of the key questions you should be asking include:
- Do you know what PII your company holds?
- Do you know where your data is?
- Do you know who has access to it?
- Do you know how is it protected?
- Do you know if it has been breached?
Increasingly, people expect their PII to be managed properly. GDPR and NDB indicate a general and continuing tightening of regulatory controls in the future. Add to this the financial and reputational impact associated with not meeting compliance obligations and the risk is very clear: organisations must take compliance seriously.
Examples of breaches from last year where the public were only notified significantly after the fact demonstrated the need for NDB legislation. In fact, 2017 was reportedly the worst year on record for data breaches, which skyrocketed by more than 300 per cent compared to 2016.
Examples include:
- Equifax: Impacted 143 million consumers. The company fumbled its incident response and remediation effort. Its support website looked like a phishing site, its data breach checking tool didn’t work, and the company was forced to pull a clause from its site that effectively prevented aggrieved customers from suing the company.
- Uber: Impacted 57 million users. In 2016, hackers stole the data of 57 million Uber customers, and the company paid them US$100,000 to cover it up. The breach wasn’t made public until November 2017, when it was revealed by new Uber CEO Dara Khosrowshahi.
- Sabre: Sabre systems, a reservation software company, quietly revealed that it had been attacked earlier in 2017. The company’s software is used by hundreds of airlines and thousands of hotels to manage passenger and guest reservations, revenue management, and human resources. Several major companies, including Google, Hard Rock Hotels, Loews, and some Trump properties, have revealed that they had data stolen as a result of the Sabre breach. The breach took place from August 10, 2016 to March 9, 2017. During this time, guest information related to a subset of hotel reservations booked through Sabre’s SynXis central reservations system was accessible by an unauthorised party.
Beyond this, there is also an increasing legal awareness of contractual obligations. You should expect clients demanding a tightening up of contracts when it comes to data security as they are more conscious of their data and are taking steps to ensure that the people dealing with that data, including suppliers, contractors, and sub-contractors, have sufficient processes in place and will be responsible for non-compliance.
It’s become apparent that proper compliance, governance, and a security framework that includes a response plan, are now essential.
The fact is that a lot of companies already have access to tools such as Data Loss Prevention, Advanced Threat Protection and Compliance Manager as part of Microsoft 365 and Azure. They just need help implementing these tools effectively to assess and manage their compliance risks leveraging the cloud to identify, classify, protect, and monitor sensitive data.
Empired helps clients assess and manage their security posture in relation to NDB, GDPR, and compliance before it becomes an expensive public problem. As a Microsoft partner, we have the expertise in these tools and can help you unlock their power.
What’s more, Empired understands the importance for our clients in ensuring that we are taking steps to protect their PII. We have implemented a data breach policy and response plan. To find out more about how Empired is protecting your data click here.
Source: Empired blog – NDB and GDPR are now serious business for your organisation