We talk endlessly about the rise in cyber crime. Statistics show that individuals out there with malicious intent are on the rise, and the weapons in their arsenal are becoming increasingly more sophisticated. Often, they’re one step ahead of security procedures, protecting even the largest of multinational corporations from having their data compromised. Moving away from focussing on these individuals specifically, today we’re talking about a sharp rise in litigation – class action lawsuits – brought from customers that have had their data stolen.
No company is immune, regardless of their size, their operations or perceived thoroughness of their security processes… in the past 12-months we’ve seen British Airways, Facebook and Yahoo all face multi-million dollar class action suits in the wake of large-scale data compromises. Putting aside the monetary problems, your company’s loss of face with customers could ultimately prove its undoing, if your company is perceived as unsafe or unreliable with sensitive data.
Dr Jodie Siganto, who holds a PhD in privacy and information security published a report on the current legislative landscape in Australia when it comes to data and privacy abuses. In her opening, she writes “given the uncertainty about the right to sue for breach of privacy in Australia, I did not expect to see any significant litigation following the introduction of the new data breach notification provisions in February 2018. It looks like I was wrong, with at least three data breach related class action claims currently on the go in Australia.”
The first being a 2017 class action case against the NSW Ambulance Service, served on behalf of 130 ambulance staff who found their medical records were accessed – without prior authorization – by a contractor, who went on to sell the information injury lawyers. The same law firm representing the ambulance staff is also pursuing PageUp following a June, 2018 breach of its data. The final, and by far the biggest class action suit has lodged a complaint to Facebook, alongside the Australian Privacy Commissioner on behalf of 300,000 Australians whose data was obtained by the notorious Cambridge Analytica.
This paragraph illustrates a shift in the legislative paradigm when it comes to data breaches, and the violation of people’s privacy that can follow. She continues to explain that “the failure of a right to sue for invasion of privacy to develop at common law has led to calls for the introduction of a statutory right to sue. Over the last 10 years, the introduction of a statutory right to sue has been supported by at least for different commissions.”
The shift is clear to be seen, and those of you reading this that are obligated to your clients to protect their data must heed the warning residing within this shift. Not only will you face a loss of trust from your clients, you could ultimately be served with a financially-devastating lawsuit that could undermine the fate of your business. This will become a bigger problem for business owners if Australia were to pass something similar to the European ‘General Data Protection Regulation’ legislation (GDPR) that aims to protect consumer’s data, and their privacy. The current landscape in Australia would suggest that we’re on a steady crawl toward implementing similar regulations in the communications landscape.
A recent article in The Australian says that “at a time of high privacy awareness, the community expects those entrusted with their personal information to act as ethical stewards.” They also expect “regulators to take action to prevent breaches and to detect and remedy their issues.”
Each year, the Office of the Australian Information Commissioner receives more than 3,000 complaints from individuals. According to the OAIC, typical resolution of these complaints includes financial restitution, and mandate improvements to that business’ privacy and IT security protocols, to avoid a repeat of the incident. “Our frontline staff assisted the public with almost 20,000 inquiries about privacy in 2017-18, and we audit a range of industries and agencies for compliance with the privacy act.” Angelene Falk, Information Commissioner and Privacy Commissioner at the OAIC said in a statement.
“We apply our resources strategically to probe major incidents, including our ongoing commissioner-initiated investigation into Facebook. Our work has led to enforceable undertakings that have driven systemic change within organizations where personal informational practices have been deficient.
“We take an evidence-based and proportionate approach, and we will not shy away from using the full range of regulatory powers. That includes seeking civil penalties of up to $2.1-million per privacy breach through the Federal Court.” Ms Falk concluded.
The OAIC says that privacy by design is crucial in achieving compliance with the Privacy Act. In a 2017 study on community attitudes to privacy, 58% of respondents said they had avoided a certain company because of privacy concerts. Last week, a report commissioned by HP found that 46% of small to medium-sized Australian businesses reported that customers were increasingly opting out of data collection and sharing. According to the OAIC, at least one senior executive in the business needs to act as the ‘privacy champion’, while an effective privacy management plan and privacy impact assessment both need to be developed and implemented into the day-to-day operations of that business.
This is where we’re going to jump right in and outline clearly that this is exactly what ISO 27001 has been designed for. It’s a product that has been on the market for a long time now, so you’ve got fewer and fewer excuses why you haven’t already implemented a data protection system into your business. As we’ve outlined, the initial hit to your stakeholders could prove fatal to your business, and now with regulators beginning to enforce a high-level of proper controls and systems into Australian businesses to protect customer’s data, if you’re not doing enough on your end, you could ultimately pay a heavy price for your complacency.