Dealing with Data Breaches
Recently, both David Jones and K-Mart experienced data breaches, as hackers exploited a vulnerability in the retailer’s third party website software. Fortunately, both companies have stated that no financial information is said to have been stolen. However, the press releases indicate that the hackers were able to obtain customer names, email addresses and addresses. David Jones has warned that customers should ensure that they do not provide financial information over the phone or via email.
Data breaches are an increasing risk and issue, with the number of reported data breach notifications increasing over the last year, according to Australia’s Privacy Commissioner. No one is immune to hackers, so it is important to ensure that your business is protected from huge penalties if you collect personal information from customers.
Penalties for Retailers
As of July 2015, under Australian Privacy Laws, retailers (particularly online retailers) may be liable in cases of data breach for up to $1.8mil, for a failure to take reasonable steps to protect the privacy of personal information collected. Furthermore, individuals that have had their information compromised may also be entitled to compensation, depending on the circumstances.
Avoiding a fine
There are many steps that you can take to minmise the risk of a data breach and a hefty fine. Such steps include, undertaking risk assessments including a privacy impact assessment, appropriate training of your staff, appointing a person within your business who can take responsibility for privacy and data protection, engaging with appropriate technology, monitoring and reviewing your systems.
It is a good idea to have a regular review of what information you are collection and how long you need to keep it for (both practically and under law).
Privacy Policies not only provide peace of mind for customers, but they also set clear standards for the way your business handles customer information and security measures. These help to guide your business in taking reasonable steps to protect personal information, particularly if your data is ever breached and the Australian Information Commissioner needs to make inquiries.