28 August 2019

Notifiable data breach scheme: what you need to know

Keeping quiet in the wake of a cyber security breach is now a thing of the past, after laws mandating notification came into force last year. Here’s a reminder of what you need to know about the scheme.

It’s an unfortunate fact that far too many real estate agencies take a “she’ll be right” attitude when it comes to cyber security. Smaller agencies, in particular, tend to believe “no one’s going to bother to hack us because we’re too small”. But it’s not true.

Small businesses like real estate agencies as well as the strata industry are easy targets. Hackers often don’t bother with the bigger end of town where there are dedicated cyber security resources in place. Why would they when they can more easily attack a smaller business with weaker defenses? While larger businesses are potentially more lucrative targets, they’re better protected. Smaller businesses tend to be more exposed.

Take a moment to think about the sheer bulk of personal information held by your real estate agency. Databases and CRMs are a veritable treasure trove of details that hackers can potentially exploit for their own advantage. It’s not hard to imagine the potential fallout a cyber breach might have on your agency, including the damage it would wreak on your reputation if your clients’ personal details were compromised.

It’s no wonder that most businesses keep quiet about cyber security breaches. Why would they report a hack when they have so much to lose? Following the introduction of the Notifiable Data Breaches scheme, businesses now have no choice but to report cyber breaches.

Understanding the scope of the problem

The Notifiable Data Breaches scheme requires businesses captured by the Privacy Act 1988 (Cth) to inform people when their personal information has been compromised due to a data breach and serious harm is likely to result. The long-anticipated scheme aligns Australia with other countries, which have had notification requirements in place for years.

For Dan Weis, Penetration Tester and Security Specialist at leading technology and security solutions company Kiandra IT, the new laws are long overdue.

“The security industry has been pushing for mandatory notification for a long time and we’re one of the last countries in the world to implement this type of legislation,” Mr Weis said. “The new laws won’t change the cyber security landscape in the short-term, and attacks will continue to increase in sophistication. What they will do is provide a degree of visibility that we’ve never had before.

“We have reports from major security vendors on the number and severity of Australian data breaches each year, but it’s only a small percentage of the actual breaches that occur. The reality is that most businesses don’t report breaches because they’re scared of reputational fallout. A good example of this is when Uber suffered a massive data breach in 2016 and then paid hackers to keep it quiet.”

Visibility will lead to awareness

With increased visibility will come a shift in mindset about the need to address cyber security.

“Because there’s been no mandatory reporting, people aren’t aware of the full extent of what’s happening,” Lyn Nicholson, General Counsel at Holding Redlich, said.

“This has contributed to the ‘it’s never going to happen to me’ attitude that’s so pervasive. In reality, there are two types of businesses: Those that know they’ve been breached and those that don’t know it yet.

“With the obligation to notify breaches comes a higher potential for reputational risk, which will effectively force businesses – including real estate agencies – to focus on cyber security. Complacency has to be a thing of the past,” the data and privacy specialist said.

With the new mandatory data breach notification laws effectively forcing businesses to focus their attention on cyber security, Ms Nicholson said the importance of being prepared will take on a new significance.

“Agencies should undertake an information mapping exercise, so they are familiar with the extent of their potential exposure,” Ms Nicholson said. “This will help identify potential risk scenarios and inform any investment in measures and processes to reduce risk.

“Education is also an essential piece of the puzzle. Survey after survey reveals that one of the biggest causes of data breaches are lost or stolen unencrypted mobile devices. Agencies need to understand how their staff are dealing with data and what potential there is for it to be compromised. Problems arise from unintended consequences, so staff education is key.

“Agencies should also have a documented incident response plan in place and have a crisis team ready to roll in the event of a breach.”

Ms Nicholson said the more prepared an agency is for a cyber security breach, the better they can respond.

“Businesses need to critically examine their existing information security framework, work out how to improve it and then take action.

“Some will undoubtedly say: ‘I don’t have the budget for it’. My response is: ‘Do you have the budget not to do it?’ The time and money a business invests preparing for the possibility of a cyber attack will repay itself many times over in the event an incident actually occurs and the fallout needs to be managed.”

Notifiable Data Breach scheme

What is the Notifiable Data Breach scheme?

The scheme requires organisations covered by the Privacy Act 1988 (Cth) to notify individuals likely to be at risk of serious harm by a data breach.

The notice must include a description of the data breach, the kinds of information concerned and recommendations about the steps individuals should take in response to the data breach.

The Australian Information Commissioner must also be notified.

Which data breaches require notification?

The Notifiable Data Breaches scheme requires notification of ‘eligible data breaches’. These are breaches that are likely to result in serious harm to any of the individuals to whom the accessed information relates.

A data breach occurs when personal information held by an organisation is lost or subjected to unauthorised access or disclosure. Examples include when:

  • a device containing customers’ personal information is lost or stolen
  • a database containing customers’ personal information is hacked
  • customers’ personal information is mistakenly provided to the wrong person.

Why is the scheme important?

The scheme will strengthen the protections afforded to everyone’s personal information and will improve transparency in the way organisations respond to serious data breaches. This will, in turn, support consumer confidence that personal information is being respected and protected.

When did the scheme take effect?

The scheme commenced on 22 February 2018 and only applies to eligible data breaches that occur on or after that date.

To find out more about the Notifiable Data Breaches scheme and access resources, go to www.oaic.gov.au

Reducing your risk

Dan Weis, Penetration Tester and Security Specialist at Kiandra IT, details the top five cyber security risks of real estate agencies and how to effectively respond to them.

  1. Users

    Even the most heavily fortified environments can be penetrated by a well-crafted phishing email. Agencies should invest in awareness training to educate staff about common types of attacks to ensure they understand the latest threats.

  2. Passwords

    Strong password usage should be implemented by agencies, with regular password changes enforced and filters applied to prevent easily guessed passwords. Internet facing systems (such as VPN’s, Outlook Web Access and other web portals) should have multi-factor authentication.

  3. IT

    All too often, IT teams provide too much open access, fail to apply the necessary security controls, misconfigure systems and don’t implement intrusion prevention and detection measures. Agencies should ask their IT team what security controls they have in place to protect the business.

  4. Penetration testing

    Penetration tests assess and report on risks, threats and vulnerabilities and the overall security profile of a business, and detail what remedial steps need to be taken. Regular testing is one of the best ways to mitigate against security breaches.

  5. Incident response

    Agencies must assume their business will be breached at some point and need to have a documented incident response plan in place to ensure they can detect, recover and communicate with clients should a breach occur.

Want more?

  • Want to keep up-to-date with industry news? Become a member today
  • If you're a member and have any questions call the REINSW Helpline on 9264 2343.
  • Keep learning with REINSW TrainingReal Estate Licensing Course. In-class - Day/Evening, Online, Recognition of Prior Learning.

Related articles