Protect your business from a data breach
Data breaches are easier to avoid than they are to fix. Here’s what you can do to reduce the likelihood of a breach.
How to protect against a data breach
As a business owner, you are obligated by the Privacy Act to protect peoples' personal data.
Consider what information you really need to collect from clients and contacts.
Your level of risk is based on the amount of data you have — the more you collect, the more valuable it is to an attacker. By only collecting what you need, you reduce your risk.
If you use a cloud service for data storage, check the provider can give you the services and protection you need. Ask them:
- if they’ll back up your data for you, or if you have to do it yourself
- if they offer the option to use 2FA (if not, see if there’s another provider who does)
- if they’ll notify you of a security breach if it happens
- what happens to your data if they’re bought out by another company, or if they go under
- if they have a public security policy, and a way for you to report security problems to them — for example, through an abuse@ or security@ email address. If not, that should be a red flag for you.
Ensure two-factor authentication (2FA) is set up on all data storage systems.
Make sure you’re encrypting any data you collect. This includes while it’s:
- in transit – for example, collect data from your customers through an HTTPS form
- at rest – when it’s stored in a database.
Ensure data can only be accessed by those who need it – this reduces the risk of it being accidentally shared. Make it clear to employees who have access to data that they can only use it for work-related purposes.
Develop a response plan for what to do if your business is affected by a data breach – or any other type of online security incident. Make sure your staff know to report any security breach to your IT person or team.
If your business has had a data breach:
- disconnect the compromised system from the internet, but don’t turn it off. If you turn it off, you could lose evidence that will help you work out what happened
- reset the passwords for any compromised accounts
- report the breach. Under the Privacy Act 2020, if your business or organisation has a breach that is likely to cause anyone serious harm, you are legally required to notify the Privacy Commissioner and any affected persons as soon as practicable
- be open and transparent with your customers. Notify anyone who could be affected immediately. Let them know:
- what information was breached
- what you’re doing to address the problem
- how they can contact you if they have queries
- when you’ve fixed the issue.
Report a breach to the Privacy Commissioner
Notification of a breach should be made to the Office of Privacy Commissioner no later than 72 hours after you become aware of a notifiable privacy breach.