Security and privacy breaches
Technology and globalisation are making the world a smaller place for fraudsters. As businesses are making the most of the upside of collaborative technologies so are cyber-criminals and the ability to accidentally commit security or privacy breaches.
Australian public and private networks are under threat from security and privacy breaches every day. Cyber-crime, or computer crime, includes the distribution of viruses, illegally downloading files, and stealing sensitive information.
In the 2012 PWC Global Economic Crime Survey, Australians ranked cyber-crime the second most commonly experienced economic crime, just behind misappropriation. Prior to 2012, cyber-crime didn’t even have its own focus in the report. This is testament to the increase and development of cyber-crime and its impact and focus within Australian society.
Economic pressures such as higher unemployment and flattening business management structures continue to increase the risk of all forms of fraud, including cyber-crime.
Cyber-crime is no longer the domain of young hackers; instead there are now a multitude of offenders with diverse motives including:
- Employees who have authorised access and abuse this access for personal gain or sabotage;
- Competitors seeking an unfair advantage;
- Criminals and criminal enterprises stealing and/or extorting information to generate income;
- Activists protesting organisational actions or policies.
Security and privacy breaches can also be committed without malice, such as inadvertent emails, or errors in sending mass emails. Often it’s just an accident, such as losing your phone or laptop containing sensitive information.
Businesses may face a whole host of losses arising from information breaches including income loss, reputational damage, and legal expenses.
Although it may offer a more flexible and lower cost facility, there are risks inherent in storing data off-site, beyond a company’s control, and possibly even in a foreign country with a different and unknown jurisdiction. Many data centres for cloud providers are located in the US, Europe or Singapore, rather than in Australia, therefore your data would be entering different countries, where different laws and regulations apply. Cloud services pose a serious challenge for IT security protection. High profile data breaches show how easy it is to lose control over your information, e.g. Sony, Twitter, LivingSocial, Distribute IT, Melbourne IT’s AAPT, New York Times… literally, the list is endless.
Changes to privacy legislation
The Privacy Amendment (Enhancing Privacy Protection) Act 2012 amends Australia’s existing privacy law and introduces the Australian Privacy Principles (APPs) on 12 March 2014. The 13 APPs simplify the existing privacy regulation and introduce significant new obligations around the use and disclosure of personal information for direct marketing and cross-border disclosure of personal information. In addition, there are new credit reporting rules and new laws governing codes of practice for information privacy and credit reporting.
The Privacy Commissioner will also exercise new powers including the ability to:
- Accept enforceable undertakings;
- Seek civil penalties in the case of serious or repeated breaches of privacy;
- Conduct assessments of privacy performance for government agencies and businesses.
These changes are given further weight by the introduction of a new civil penalties regime (including fines of up to $1.7 million).
Costs of data breaches
According to the Poneman Institute, for the fourth consecutive year the cost per lost or stolen record has increased. In 2009, the cost per record was $123, and the cost in 2012 increased to $141.
There has been a 23% increase in one year in the total average cost of data breach.
The total cost of a data breach must bear in mind the following items:
- Expenses related to identifying and repairing the breach, e.g. hiring a forensic investigator;
- Business interruption costs, e.g. loss of income due to the disruption to key network technology such as billing or customer service systems;
- Notification costs and the possible hiring of a PR firm to limit reputational damage;
- Credit monitoring or related costs;
- Then there is the cost of data rectification, that is, the work needed to replace and reconstitute lost or damaged data.
Examples of security breach risk management
- Information Security Policy – firewalls, virus protection, encryption, electronic data back-up offsite, password protection and the like;
- Regular Fraud and Cyber-Crime Risk Assessments to identify the inherent risks present in the business and ensure sufficient mitigating controls are in place;
- Intrusion Testing Policy/ Program – for example, an intrusion detection system (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station;
- Mobile Device Security Policy for tablets, company phones, portable computers.
Talk with your risk advisers/insurance brokers to assess whether or not your insurances respond to exposures relating to privacy protection.
The role of insurance in your information risk management plan
Businesses out there may not be aware that traditional insurance policies generally do not cover costs associated with security and privacy breaches, leaving businesses vulnerable and in considerable need of specialised protection from network risks.
A Data Security and Privacy Protection policy can cover your company for both your first party liability expenses (i.e. business interruption, lost revenue, breach notification costs and investigation costs) as well as your third party liability expenses such as legal expenses and damages.
You have a responsibility and are accountable for protecting your company information, whether it is public or corporate. It is a company’s responsibility to make sure that the network is protected in such a way that it doesn’t become an unwitting participant in a cyber-attack. There is also an obligation to company shareholders that information in your network is safe.
Examples of data security and privacy breaches
The 2012 Cyber Crime and Security Survey by the Centre for Internet Safety revealed that more than 20% of the 250 Australian businesses surveyed suffered a cyber-attack in the past year.
From cyber-crime alone, estimates of losses to Australian businesses range from upwards of $595 million (The Australian Business Assessment of Computer User Security).
There have been a significant number of large breaches, including:
- Target (100million records);
- Global Payments (1.5 million records);
- Yahoo! (400 thousand passwords);
- Wyndham Hotels (600 thousand credit cards);
- eHarmony (1.5 million passwords);
- LinkedIn (6.5 million passwords);
- Zappos (24 million records);
- Reserve Bank of Australia (six computers infiltrated);
- New York Times (system interrupted).
For further information, please Drew Ferns of OAMPS Insurance Brokers on 02 4226 8700.