Data breaches can happen to any business or organisation, large or small. The kind of information that’s released is usually:
- data that can identify particular individuals, known as personally identifiable information (PII)
- personal health information (PHI)
- trade secrets or intellectual property (IP)
- embarrassing information used to harm a brand or people.
Data breaches happen when information is:
- compromised or stolen
- released by accident
- accessed through bugs found in a computer system.
For businesses, this poses both a financial and reputational risk. It can mean that customers lose trust in the business, their brand, or see the business as being unethical. Regaining customer trust and implementing better security practices.
Preventing a data breach
Data breaches are easier to avoid than they are to fix. Here’s what you can do to reduce the likelihood of a breach.
As a business:
- only collect information that you actually need from your customers. Be clear about why you need it
- think about how you store that information and if how you’re storing it is fit for purpose
- make sure the data storage solution you’re using is secure
- ensure that it can only be accessed by those who need access to it
- develop a response plan for what to do if your business is affected by a data breach.
If your business is affected by a data breach
Here are the steps to take when you’re dealing with a data breach.
If it’s happened to your business:
- disconnect the compromised system from the internet, but don’t turn it off. If you turn it off, you could lose evidence that will help you work out what happened
- reset the passwords for any compromised accounts
- report the breach. From 1 December 2020, the Privacy Act 2020 comes in to effect. Under the Act, if your business or organisation has a breach that is likely to cause anyone serious harm, you are legally required to notify the Privacy Commissioner and any affected persons as soon as practicable
- be open and transparent with your customers. Notify anyone who could be affected immediately. Let them know:
- what information was breached
- what you’re doing to address the problem
- how they can contact you if they have queries
- when you’ve fixed the issue.
A breach notification should be made to the Office of Privacy Commissioner no later than 72 hours after you become aware of a notifiable privacy breach.