Data breaches: 305 notifications and counting

Promoted by EBM.

It’s been six months since mandatory data breach notification legislation came into effect – and there’s been no shortage of incidents reported. Do you know how to protect the private data your business holds?

Real estate businesses have some of the best databases of any industry. RE professionals diligently update their CRMs after each contact with a new or existing client – carefully recording the personal details of all those they meet. While this data houses the ‘prospects’ for the RE business, it is also a tantalising target for cybercriminals.

Hackers use personally identifiable information to make mischief and money. Accessing private data enables criminals to perpetuate all manner of frauds – from identity theft to payments fraud. And RE businesses hold (and in the case of PMs, share) a wealth of private data including:

• names
• dates of birth
• email addresses
• postal addresses
• telephone numbers
• current and previous home/rental addresses
• driver’s license/passport details or other ID like Medicare numbers
• employment details
• financial/bank account details
• tax file numbers
• credit records
• criminal records
• e-signatures
• commentary or opinion about a person (such as a referee’s comments)

As the keepers of this data, the RE profession is a prime target for data breaches, whether they are malicious (hackers use various cyberattacks including phishing to gain access to data), deliberate (a survey by a cyber security software provider found 37 per cent of data attacks in the RE sector are perpetrated by insiders, i.e. disgruntled employees) or accidental (for example an employee inadvertently releases private information to a third party).

The serious harm that can come from having private data exposed was acknowledged by the Government and on 22 February 2018 the Notifiable Data Breaches (NDB) scheme came into effect. The NDB requires all organisations covered by the Privacy Act 1988 to notify the Australian Information Officer and individuals if their private data has been breached.

Statistics from the Office of the Australian Information Commissioner reveal that since the NDB commenced, it has received 305 notifications (within the first six weeks there were 63 breaches reported). So from 22 February to 31 July, on average, 18 notifiable breaches are being reported each week. Factor in the number of people affected by each incident and it has been estimated that up to 5.3 million Australians may have had their information compromised in the last quarter alone.

The kind of information breached reinforces the attractiveness of the data stored by REs: 89 per cent of breaches exposed contact information (e.g. address, phone number, email address), 42 per cent financial details (e.g. bank account or credit card numbers), 39 per cent identity information (e.g. passport number, driver’s license number and other government identifiers like Medicare numbers) and 19 per cent TFNs (individual tax file numbers).

While most small businesses (those turning over less than $3 million per annum) are exempt from the scheme, any business operating a residential tenancy database or any RE business covered by other provisions in the Privacy Act such as those that collect TFNs, handle consumer credit information or trade in personal information like buying or selling a mailing list, has an obligation under the Act to protect the personal information they hold.

Whether the RE business is subject to the new requirements or not, data breaches are becoming more common and can have serious ramifications – financial (civil penalties are currently $360,000 for individuals and $1.8 million for bodies corporate), operational, legal and reputational.

REs can help safeguard the private data they hold by:

• Undertaking an audit to determine what data the business holds, where it is stored and who has access to it.
• Only collecting the personal information from clients (landlords and tenants) that is actually needed.
• Using best-practice to dispose of or de-identify that information once it is no longer required to be kept (based on legislation and other requirements).
• Only providing access to databases and other sources of private information to those staff who need it to do their jobs. Restricting administrator level access.
• Enforcing strict policies and procedures around the collection, updating, sharing and disposal of confidential and private information. Human error was the second-highest overall cause of reported data breaches in the last quarter.
• Training staff on best practice data protection (passwords, network security, portable device security, recognising cyber risks such as spam, scams and phishing emails etc.) and handling confidential/private information (including their responsibilities and obligations).
• Storing information on secure devices with security software such as a firewall, anti-spyware and anti-virus enabled and keeping the software/patches up-to-date.
• Encrypting all data on company-owned and BYO devices.
• Ensuring any backed-up data (such as on USBs) is kept safe. After malicious cyberattacks, theft of paperwork or data storage devices was the second-most popular cause of reported data breaches. Reconsidering uploading data to the cloud.
• Making sure the network is secure, including the Wi-Fi connection, and being vigilant about using any device in public areas.
• Creating strong passwords or using passphrases for all online accounts, and enabling two-factor authentication or verification for additional protection.
• Never sharing any personal information (unless legally obligated to do so) about clients with third parties, including those who may contact the business for tenant reference checks.

Cyber Liability insurance cover can act as a safety net for the RE business when all else fails. As the cybercrime landscape is constantly changing, the covers available are also constantly evolving. EBM understands the cyber risks a RE business faces and our insurance brokers can help businesses secure the right cyber policy.

Our advice about insurance is provided for your general information and does not take into account your individual needs.  You should read the Product Disclosure Statement and Policy Wording prior to making a decision, these can be obtained directly from EBM.

Article supplied by EBM. 
Whether it be business or personal, as one of Australia’s leading privately owned and operated insurance brokers EBM has insurance solutions to suit you.  For more information please visit www.ebm.com.au.