If you have a marketing database, use a data platform, or rent or sell houses, you may be eligible for big fines if your data is breached.
Right now, the world is obsessed with data. Businesses are obsessed with collecting it, consumers are obsessed with protecting it, and increasingly, the bad guys out there, are obsessed with accessing it, sharing it and exploiting it.
In Australia, if you own a business, there’s a 30% chance* your data will be breached. Since data protection laws have started to evolve in recent years, making businesses accountable for breaches, that means there’s also a 30% chance you’ll need to fork out some hard-earned cash to fix it.
But the cost of fines and fixing aren’t the only ways your business will be impacted if your data is breached. In most cases, you’ll also be responsible for implementing a plan that sees anyone affected notified, and the hole in your security plugged up as soon as possible.
According to IBM, the average cost of a data breach in Australia is $3.35 million, and while you might be right in thinking, ‘mine is a small business, that doesn’t apply to me’, the fact is, even small businesses will face costs if your data is breached.
What is a data breach?
The Office of the Australian Information Commissioner (OAIC) describes a data breach as: ‘when personal information is accessed, disclosed without authorisation or is lost.’
As a business, whether you require bank details for transactions, pull identifiable data from data platforms, send contracts via email, or simply keep a data base of contacts for marketing, you are collecting and sharing data and can be held accountable if that identifiable data falls into the wrong hands.
While the news on TV loves to talk about highly-skilled European hackers, researchers from Stanford University* found almost 88% of all data breaches are actually caused by employees who simply make a mistake. IBM suggests it might be as high as 95%.
Almost half of the respondents in the research noted falling for a phishing scam, purely because they were distracted and not paying close enough attention to what they were doing.
Interestingly, young people were more likely to admit to this than older people, and men were 25% more likely to fall for phishing scams than women.
Many who made these mistakes attributed them partly to an expectation to respond quickly to emails.
Human-error-based data breaches also occur because people don’t take care of identifiable data carefully – with files or folders left in the open or not locked if online.
Many people have also mistakenly sent an email containing data to the wrong person due to distraction or more concerning, fatigue or stress, and more people than you can poke a stick at use the same password across multiple accounts.
Outside of human error, there are of course criminal entities at play that do target individuals and businesses, looking for weaknesses or opportunities. Many smaller businesses don’t really consider cybersecurity, from a technical perspective, or as part of their employee education and training.
What are the fines for data breaches?
While currently the maximum penalty for a data breach in Australia is $2.1 million, in March 2019, Attorney-General Christian Porter proposed amendments to the Privacy Act, to increase the maximum penalty to not more than the greater of $10 million, or 10 percent of the company’s domestic turnover.
Additionally, the reforms also increase the power of the OAIC, enabling it to issue infringement notices of up to $63,000 for companies and $12,600 for individuals who fail to assist in the resolution of a breach.*
The Privacy Act 1988 (Cth) applies to any business with an annual turnover of $3 million in any year since 2001 or other businesses, regardless of turnover regulated in the act (including most real estate agencies).
How do you manage a data breach in your business?
The best way to approach a potential data breach, is to avoid it, at all cost, in the first place.
This means considering what you are collecting, how and where you are storing it, reviewing your security, increasing your staff training and awareness, and minimising risk within your business.
Among other requirements, from February 2018, if your business loses or unlawfully discloses to others, personal information that you hold, or if there is unauthorised access to data that could cause harm to the affected people, you must investigate the breach and notify the affected individuals and the OIAC, as soon as possible.
You should work to contain the breach immediately, which may mean contacting experts; then assess the potential harm to the individuals whose details are in the data; notify the relevant parties; and then review the situation to prevent it from happening again. The OAIC has excellent resources and a full step-by-step data breach plan to follow.
The OAIC encourages every Australian organisation to have a data breach response plan, so you can respond rapidly to a breach and contain any further breaches. The plan will also cover how you intend to keep the data safe in the first place.
Have fines ever been issued?
The OAIC reported 63 breaches in the first six weeks after the Privacy Act was updated in 2018, and this continues to rise.
They noted 89% of breaches were for normal contact information like addresses and phone numbers, while 39% were for identity-related information like licences and passports.
While you might think you’re in the clear because you’re not in the turnover range ($3 million each year), any business with a residential tenancy database, and many other smaller real estate agencies and valuers are actually eligible.
Since 2019, investigations have occurred into: a former Ray White Tasmania agent, Primus Realty (with tenant data made public for more than 20 months), real estate businesses in QLD as part of a wider hacking scheme, up to 400 First National offices (personal details of job applicants exposed), and others. It can and does happen in our industry!
If you’re acquiring a business, you also need to be careful, with the Marriott International (the hotels) fined $24 million for a GDPR breach (European privacy laws that can affect Australian businesses).
It reportedly failed to identify, during due diligence, a data breach in a company it was planning to acquire, and then failed to contain the breach for some time after acquisition.
Even the Government isn’t safe, with The Department of Home Affairs ordered to pay from $500 to $20,000 per person, when the identities of more than 1,200 asylum seekers were compromised.
Why are we talking about data breaches?
Other than our dedication to protecting our customers from enormous fines, and all Aussies from having their personal details exposed, National Property Group offers a leading property data platform.
While our terms and conditions issue strict requirements for how data is used, some agents may export data, for various reasons and store it locally. Ensuring you keep that data safe is paramount, especially if there is identifiable data included.
Likewise, on our platform or any other property data platforms, some vendor information and contact data may be provided, with some having given consent for that data to be used for marketing and prospecting. Use of data with no consent for marketing, is also a breach of privacy laws.