Recent news stories about the data breach at petrol station operator Z Energy highlight the importance for companies who hold significant amounts of customer data in their IT systems to have a plan in place should there be a successful breach of their security.
Such a breach could happen via a hack, someone identifying and then exploiting a vulnerability in existing systems, or through a ransomware type attack. Although many business owners might think they are too small to be targeted by hackers, in fact the opposite is true. Over the last few years, hackers have been shifting their focus to smaller businesses for a number of reasons outlined in this article from Inc.com. Over half the attacks are now being carried out on smaller to medium size businesses rather than large corporates.
The biggest concern in the Z Energy story was the fact that the company chose not to tell their customers about the problem soon after the issue was first discovered. Instead of informing all the people who held one of the vulnerable fuel cards, soon after being alerted to the vulnerability, they simply shut the system down with no customer communication. Z Energy says their position was that no customer data had actually been accessed therefore they felt there was no need to let customers know about a potential security breach.
The question is raised – at what point does an issue become serious enough that a company should alert its customers to possible breaches of their account information?
This is not an easy question to resolve, given a number of factors:
- The company is not likely to want to overreact and alert its customer base to an issue that might damage the business or its reputation
- A company may receive advice that suggests the issue be kept under wraps until more is known or until it has to be publicly addressed
- The issue of scale needs to be considered, for example if the business is smaller (not nationwide) or the possible breach only impacts a small number of customers – is it necessary to advise the entire customer base and also let the media know?
However the new GDPR regulations that have been rolled out in Europe do give some guidance around the expectation on businesses to alert customers immediately when they know or think there has been a breach of their data.
Article 33 of the GDPR dictates that, in the event of a personal data breach, data controllers notify the appropriate supervisory authority “without undue delay and, where, feasible, not later than 72 hours after having become aware of it.”
The GDPR also specifies the type of information that the above notifications must include.
The GDPR regulations are likely to be just the first of similar sets of rules to be rolled out in countries around the world, including New Zealand and Australia.
In New Zealand the new NZ Privacy Bill is expected to be passed into law within the next 12 months, and is likely provide a data privacy model similar to GDPR, so this is something very close to home for businesses and organisations of all sizes in New Zealand.
So the upshot is that in the near future, it will not be “optional” for companies like Z Energy to communicate with their customers in this type of situation. Penalties for not communicating with customers within a short time of discovering the issue may be introduced and if the GDPR example is followed elsewhere, those financial penalties may be severe – and will come on top of any other financial and reputational losses a business may suffer due to a data breach.
So how would your organisation ensure you have the data available to respond quickly and effectively?
- Being expected to report where, when and how a breach occurred, means it is critical to have a full monitoring system in place in advance that will help track access to your database or network and identify any potentially unusual activity.
- The ability to accurately monitor, detect, and prioritise access and activity is the key to accelerating breach detection without causing business disruption.
There are a range of tools available to help monitor activity and enable fast reporting of any abuses of data access by anyone inside or outside an organisation.
If you would like some support around ensuring your company is well prepared to detect, avoid and act on potential data breaches, including the recommended steps to take from an IT perspective, please get in touch. As always, our team would be happy to advise you.