What it is
A data breach is when any private information held by a business is released, usually publicly, either by accident or on purpose.
As a business owner, you are obligated by the Privacy Act to protect peoples' personal data.
Protect your business
Kia pare i tō pakihi i tētahi wāwāhinga raraunga
Protect your business from a data breach
Data breaches are easier to avoid than they are to fix. Here’s what you can do to reduce the likelihood of a breach.
3 min read
How to protect your business
-
Data collection
Consider what information you really need to collect from clients and contacts.
Your level of risk is based on the amount of data you have — the more you collect, the more valuable it is to an attacker. By only collecting what you need, you reduce your risk.
-
Data storage
If you use a
service for data storage, check the provider can give you the services and protection you need. Ask them:A term referring to services, software, or data that is online, rather than running on your device or stored on physical hard drives.
- if they’ll back up your data for you, or if you have to do it yourself
- if they offer the option to use
(if not, see if there’s another provider who does)
A security setting that needs an extra piece of information, such as a text code or fingerprint, to log into your account. Short for 'two-factor authentication'.
- if they’ll notify you of a security breach if it happens
- what happens to your data if they’re bought out by another company, or if they go under
- if they have a public security policy, and a way for you to report security problems to them — for example, through an abuse@ or security@ email address. If not, that should be a red flag for you.
Ensure two-factor authentication (2FA) is set up on all data storage systems.
-
Encryption
Make sure you’re encrypting any data you collect. This includes while it’s:
- in transit – for example, collect data from your customers through an
form
a secure method (or protocol) for moving data between devices over the internet. Short for 'HyperText Transfer Protocol Secure'.
- at rest – when it’s stored in a database.
- in transit – for example, collect data from your customers through an
-
Manage staff access
Ensure data can only be accessed by those who need it – this reduces the risk of it being accidentally shared. Make it clear to employees who have access to data that they can only use it for work-related purposes.
-
Create an incident response plan
Develop a response plan for what to do if your business is affected by a data breach – or any other type of online security incident. Make sure your staff know to report any security breach to your IT person or team.
Get help
If your business has had a data breach:
- disconnect the compromised system from the internet, but don’t turn it off. If you turn it off, you could lose evidence that will help you work out what happened
- reset the passwords for any compromised accounts
- report the breach. Under the Privacy Act 2020, if your business or organisation has a breach that is likely to cause anyone serious harm, you are legally required to notify the Privacy Commissioner and any affected persons as soon as practicable
- be open and transparent with your customers. Notify anyone who could be affected immediately. Let them know:
- what information was breached
- what you’re doing to address the problem
- how they can contact you if they have queries
- when you’ve fixed the issue.
Report a breach to the Privacy Commissioner
Notification of a breach should be made to the Office of Privacy Commissioner no later than 72 hours after you become aware of a notifiable privacy breach.
Report a breach to the Privacy Commission – Office of the Privacy Commissioner(external link)