Heard of US credit-monitoring company Equifax? It’s been in the news for all the wrong reasons lately, following a huge cyberattack in which personal information of about 145.5 million Americans was stolen. It’s worth writing about for two reasons: as a ‘what not to do’ example in the event of a cyberattack, and to highlight the establishment of the Australian Notifiable Data Breaches scheme – and what it means for Australian businesses.
The Equifax example – what not to do in the event of a cyberattack
The NY Post reports that the hack occurred despite warnings from the Department of Homeland Security that there were flaws in the company’s software. The vulnerable version of Apache Struts failed to be identified or patched by Equifax by two separate IT teams following the DHS warning in March this year. And while the hack began in May, Equifax didn’t discover it until July.
In what has been described by experts as ‘a perfect storm’ of missteps by Equifax, the company also took six weeks to alert the public to the security breach – and then initially only offered help to the millions affected as long as they promised not to sue. Reports indicate that this condition has since been lifted.
Equifax’s former CEO Richard Smith – who retired in the wake of the security breach – apologised to the US for the company’s failure to meet its responsibilities in safeguarding its customers’ personal information.
While this hacking occurred in the US, Australian companies can learn from it as a textbook example of what not to do if there is a data breach. And new legislation coming into effect on 22 February next year means that Australian companies risk heavy fines if they make errors and miscalculations like those in the Equifax case.
Coming soon to Australia: The Notifiable Data Breaches scheme
The Notifiable Data Breaches scheme is the result of the Privacy Amendment (Notifiable Data Breaches) Act 2017. It requires that companies covered by the Privacy Act 1988 to notify any individuals who could be at risk of serious harm as a result of a data breach. The company will also be required to inform individuals about the steps they should take in response to the breach.
Examples of a data breach include:
- a device containing customers’ personal information being lost or stolen
- a database containing personal information being hacked
- personal information being inadvertently provided to the wrong person
This means customers will be able to take steps to minimise the harm that can result from their personal information getting into the hands of unauthorised people or companies.
While the rules that Australian organisations will have to follow from 22 February 2018 have still to be confirmed, heavy fines for breaching them will certainly apply.
The Australian federal government has set up a website for organisations and individuals seeking further information about the Notifiable Data Breaches scheme.
How Correct Solutions can help
While Correct Solutions cannot offer legal advice regarding the Notifiable Data Breaches scheme, we can help you to take steps to avoid the nightmare scenario experienced by Equifax. Get in touch with us if you want to know more about security solutions, and how to improve your data security and hack prevention processes.
Contact one of the team on 1300 267 765 if you want to know more.