Time to Tackle PII data before the 2018 Data Breach deadline

By Seth Butcher

Deadlines tend to creep up on you. For many Australian organisations the effective date of 22 February 2018 for new Mandatory Data Breach Notification Laws is getting scarily close, while those who ignore it in 2017 will need to hit the ground running in the new year to be prepared.

While the legislation does not apply to local councils and state government agencies, it hits hard in the private sector. Any organisation with an annual turnover greater than $A3 million is covered which means it’s not just an enterprise issue, many SMBs are caught in the net

It’s not just the Big Banks, utilities and large federal government agencies that need to be concerned, the impact will be felt at many schools, universities, surgeries and Not For Profits (NFPs).

And concerned they should be, given the severity of fines able to be applied under the Act: up to $A360,000 for individuals and $A1.8 million for companies.

Australian Privacy and Information Commissioner, Timothy Pilgrim provides some helpful advice here, saying, “agencies and businesses should continue to take reasonable steps to make sure personal information is held securely - including being equipped with a clear response plan in the event of a data breach.”

But how can your organisation be sure that “information is held securely” as Commissioner Pilgrim advises?

Especially when submitting credit card details via a paper form is still a fundamental way of doing business across the spectrum.

Even with the most secure systems in place, your biggest risk still lies in human frailty. It’s widely recognised that most data loss occurs due to staff negligence or bad practices.  

Just look at the most recent example where a misconfigured database backup to the Amazon cloud exposed the details of more than 50,000 Australians, including credit card numbers.

At Toshiba Australia. Electronic Imaging Division we have encountered widespread concern over the new Data Breach regime.

This concern is justified with many still holding paper archives containing credit card details and other personally identifiable information (PII) data such as Tax File Numbers (TFNs). Submitting these details on paper is still a common practice for organisations both large and small across the business spectrum.

Even for those who have progressed to scanning the paper forms and implementing digital processes, these PDF forms then sit on a fileshare or in an EDRMS where they still represent a threat and a real risk under the upcoming Data Breach regime.

To help organisations deal with this threat up front rather than after an embarrassing breach, Toshiba Australia has developed a solution offering to help redact or hide sensitive data such as credit card numbers.

The solution is able to automate the task of discovering and redacting PII data such as credit card numbers or TFNs in a repository of PDF or Word documents. blacking them out so they cannot be read. It’s fully-automated, meaning that CCNs/TFNs are automatically discovered in source documents, regardless of their location

Once the sensitive data has been redacted, you can choose whether to replace the original files with redacted PDF/Word versions, or keep the original files somewhere more secure and out of reach of your business daily operations, while maintaining the same name for the new redacted file

Security and privacy are increasing in importance and becoming more political; a challenging situation that has been compounded by frequent news of data breaches.

Organisations are facing increasing pressure to securely and intelligently manage all the data they hold, to ensure regulatory compliance, as well as protect against the very real reputational (and financial) risk that data loss or breach presents.  

According PricewaterhouseCoopers (Australia), the new Data Breach regime, “present companies with an opportunity to engage with their customers on privacy protection and to build/maintain trust in an increasingly digital world. This is an ideal time to review how your company manages its information (and manages itself) to take stock of its information assets, its data protection measures (including response activities) and to ensure it minimises the risk of a breach in the first place.”

For more information on how to prepare your organisation for Data Breach D-Day on Feb 18, 2018, contact eidsolutions@toshiba-tap.com.

https://www.toshiba-business.com.au/company/contact-us

Seth Butcher is National Solutions Group Manager at Toshiba Australia

Request further information - Article