Why how you store data could make or break your business
It began with an old website that was no longer being used and ended with AA Traveller emailing hundreds of thousands of customers, telling them their personal information was in the hands of hackers.
Setting aside the fact that cybercriminals are ultimately to blame, the AA never deleted the data on the decommissioned website. This allowed hackers to take the names, addresses, contact details and expired credit card numbers of customers who used the website between 2003 and 2018. In particular, there was a 2010 online survey that nearly 30,000 people responded to. The AA said those surveyed were at risk of being hacked by an overseas account.
On top of that, the breach itself happened in August last year. AA Traveller only found out this March. It made a public apology, acknowledged customers should have had their data protected and said it was "incredibly sorry".
But it's something Auckland-based IT services provider Vertech says could have been completely avoided. The company's founder and CEO, Daniel Watson, thought the AA would have had that data better secured than it did.
"[The survey] was 12 years old," he says. "Why were you still keeping it?"
Knowledge is power
The acting Privacy Commissioner Liz MacPherson says as the world continues to morph into a digital economy, data becomes more and more important.
For example, the more you know about a person, the more you can personalise services or products for them, increasing the chance they'll like it and, as a result, keep them coming back. MacPherson says personal information is being collected every day. According to the Privacy Act, the commissioner says personal information is "any information about an identifiable living human being, so anything that can tell us about a specific individual."
"There are all sorts of different things if you use that definition that are picked up as personal information - names, contact details, financial health records, purchase records, client details, client records, correspondence, employee records," she says.
So just how much information does the average organisation hold about us?
Vertech's senior systems engineer Peter Drum specialises in data and data governance and explains that it's complicated.
It depends on a whole range of factors, including the:
- Length of time the business has been running
- Scale of the business and the nature of the work they do
- Data retention of the business, this can be affected by things like legal requirements and whether acquired companies have different metrics for retaining data
"There's not sort of one guiding figure that you might say for every three staff you have 200 gigabytes of data or something nice and simple like that," says Drum.
Watson says anecdotally, clients seeking him out know they have issues, but they're not sure what they are.
"Very few companies come to us and say 'hey say check us out' and we have a look and we say 'oh nothing to do here, you're good'. Essentially, from our perspective, it's a vast market but at the same time that's quite worrying. We've all become digital packrats."
Drum says that's because the storage of data itself has changed. There's simply no limitation on how much you can store because companies don't need vast rooms for physical records.
"You can keep huge amounts of data, the limitation is not cost anymore, the limitation is really do you need it?" he says.
"That can be a hard decision or a low priority decision because there are other concerns that business owners have."
But choosing to delay dealing with data storage can come back to haunt companies. The AA example is the most recent warning but surely won't be the last.
Under the Privacy Act, agencies must take reasonable steps to avoid security breaches and protect customer data privacy.
MacPherson explains what the threshold is. "Its a case by case situation," she says.
"[But] we would be expecting agencies to understand the nature of their data, the nature of their data flows and to have put in place reasonable protections externally, making sure if you use software that it's patched regularly, passwords, authentication, making sure usb sticks are encrypted, all those sorts of things."
Breaking the law
Under the Privacy Act, there are two avenues for the Privacy Commission to investigate a company around breaches. First, an individual can make a complaint if they feel a business has breached their privacy or if the company refuses to give them the personal information they hold on that person.
"We look at, first of all, has there been a breach of their privacy and secondly whether there's been harm caused," says MacPherson.
"If we find that there has been interference in someone's privacy we can recommend financial compensation. We don't actually issue fines [ourselves], but if a privacy complaint then goes onto the human rights review tribunal, an agency can be liable for damages up to $350,000 per privacy complaint."
The second way the Privacy Commission can investigate a company is through a new power under the Privacy Act 2020. The Privacy Commission can take proactive action where it believes there are systemic issues or failures regarding privacy breaches. After the initial investigation, MacPherson says they try to educate the organisation.
"Often that's really successful," she says.
"People go 'oh gosh I never realised that this was what I was supposed to do' and they put it right. Sometimes we have to give people warning letters which effectively say, if you don't put this right then we're potentially going to follow up with a compliant notice or we could take compliance action."
MacPherson says there are multiple different points where companies can turn things around without being taken to court.
"Prosecutions take a long time so our aim is to actually get the behaviour shifts early and we think it's in the best interest of agencies to change their behaviour," she says.
However, if it does land in court, the maximum penalty for a criminal offence, such as failing to comply with a compliant notice, is $10,000.
Since December 2020, there's also a mandatory requirement for businesses to disclose serious harm privacy breaches within 72 hours of becoming aware of it. But MacPherson says the legal implications aren't the only consequences companies should consider.
"The biggest issues for a company is actually the reputational damage that comes from having a breach, be it an internal or an external breach. The reputational damage is the thing that will stay with the company and it can mean the customers lose confidence," she says.
"Trust is something that takes a long time to build and it's very easy to lose."
How do you keep data and yourself safe?
The Privacy Commissioner says before even thinking about cybersecurity measures, companies should only collect the data they actually need. Then they should think about a retention schedule, which sets out how long the data will be kept for. MacPherson says this rule of thumb can be applied to something as simple as being a landlord and collecting information about applicants.
"If you were applying to see a flat…you might send in an application form," she says.
"If you didn't become the preferred tenant then your application form should be deleted at that point, none of that information should be stored."
MacPherson says companies that want to continue collecting data have to maintain trust and confidence by only collecting what they need, making it clear what it is they are using it for, only use it for that purpose, keep it safe and secure and then delete it when they no longer need it.
Vertech says the most common issues companies have when it comes to data are that they don't know what they have or where it is, there's overly permissive access to information, and they hold a sunk cost fallacy.
1. What do we have and where is it again?
Watson says businesses might not have narrowed everything down about their data and where it's stored. He says multiple departments might be collecting data on their clients and storing them in different locations with different methods.
"Are they encrypted, are they secured from inappropriate access or unauthorised alteration, are they even backed up?" he says.
"The worst thing that might happen for a company's data is not that somebody else gets access to it and steals it, it's that it's lost. So is it stored in a way that actually protects it from accidents?"
"I've heard from security staff who have been dealing with large businesses that have been using free marketing tools and uploaded their client list into it, not realising that when you use the free version…your client list might be being shared by third parties."
2. Overly permissive access
Watson urges companies only to give employees access to what they need to do their job and says he learnt this the hard way. When Vertech was smaller, he hired from family and friends, but once it started growing, Watson had to hire outside of that circle.
"Somebody else came into the businesses, we gave them that trust, they had all sorts of access that we realistically should never have ever given them and they abused it," he says.
"So it's all good right up until it isn't. It's easy to make things work, a lot of it is just get it working. But securing it after the fact is harder than baking it in in the beginning."
The Privacy Commissioner says many agencies think only about external security risks instead of data breaches from within the organisation. She says the leading cause of data breaches is actually still human error, though there has been an increase in malicious attacks. MacPherson says human error doesn't necessarily mean someone has intentionally abused their access to information; it could mean sending the wrong email to somebody etc.
"Usually what happens is that the agencies concerned say to us, [it was a] 'human error' and when they say human error what they effectively are saying is it was an accident," she says.
"But actually most of these human errors could be avoided."
And one way to avoid it is to limit the access employees have to the data.
"You don't want to have open access to personal information and you also need to think about the audbility of your access provisions as well, so you need to able to see who's been into a particular file," says MacPherson.
3. Sunk cost fallacy
Drum warns companies not to get stuck in the mindset that it will be too hard to change anything now or that people don't abuse their access anyway.
"If you plan and manage change appropriately the impact is almost always zero otherwise its very low," he says.
He says the best thing a company can do is a regular review process.
"It doesn't matter the frequency so much as long as it's no less than annual," says Drum.
"You really do need a champion in the business"
Watson says for any lasting change to occur, it needs to be from the top down. He says if the directors of the board aren't engaged, then change is unlikely because the people underneath aren't going to get direction, written policy, or resources to make changes.
Drum agrees and says, "You really do need a champion in the business."
He believes directors and boards are becoming more aware of the implications of data storage, but there's still a long way to go. Drum warns that collaboration is needed between the business itself, operations and whoever looks after the systems.
"If you come along and make a bunch of changes to things without consulting the people who use the data you can block access that people need," he says.
MacPherson strongly encourages companies to prioritise data and says data is critical for an agency's ability to innovate and improve its operations. But she says only companies who take responsibility for data earn the trust of customers and have the social license to use personal information.
"Personal information is precious, people need to protect it," she says.