Clever Use of the Power to Order Pre-Action Discovery
The New South Wales Supreme Court has ordered Channel Nine to provide a draft story to a plaintiff…
Data protection is a key issue for organisations around the world. With the rapid increase in remote working arrangements in response to the Covid-19 pandemic, and the increased sophistication of malicious parties, no business is immune from cyber security attacks and data breaches.
Data Protection Measures
Despite the prevalence of such incidents, there are several steps your business can take now to help reduce the likelihood of falling victim to a cyber security attack.
1. You can’t secure what you don’t know you have: any effective data breach prevention strategy needs to start with an understanding of what information your business collects, stores and processes. A privacy assessment can help you understand your business’s legal responsibilities in respect of the information that it holds and how well it complies with its privacy obligations. If your privacy practices aren’t up to scratch, it’s better to fix them before it’s too late.
2. Secure the assets: there are many ways to prevent a data breach using technology. This includes:
If you are unsure whether your information is secure, have a third party carry out a security audit and risk assessment to help you identify any weak points in your systems, so that you can best protect yourself from cyber-attacks.
3. Prepare and prevent: the action you take during the first few hours after a data breach occurs are the most crucial, therefore it is important that your business has an Incident Response Plan (‘IRP’) to assist the business in making the right decisions quickly and to minimise the impact of a data breach. Among other things, an IRP should include:
4. Testing 123: an IRP should not be locked away in your bottom draw, only to be dusted off if and when a data breach occurs. Members of your response team should continually test the IRP by undertaking hypothetical data breach simulations to ensure that it is effective and meets the needs of the business over time.
5. Knowledge is power: 38% of data breaches that were notified to the OAIC during the July-December 2020 period were reported as being the result of human error. Therefore, it is important that your business has up-to-date privacy and security policies, and that your staff members are appropriately trained so that they know how to identify and respond to cyber security threats.
The Australian Cyber Security Centre recommends clearly documenting and training employees in cyber security systems, plans and practices. Written policies and mandatory online training videos are important, but we suggest going even further and getting the staff together for an interactive afternoon where they are put through several data breach and cyber-attack drills that vary in degrees of difficulty. This will allow staff to be alert on data breach attempts and learn techniques to protect information when communicating.
6. Cover your assets: given the frequency at which data breaches are now occurring and the considerable damage – both financially and reputationally – that flows to a business from a major data breach, it is becoming increasingly important to have cyber insurance in place. The type and level of insurance will depend on your company, including size, financial position and risk profile.
Unfortunately, despite your best efforts, data breaches can still occur. Our next article in this series will discuss how to effectively respond after a data breach has occurred.