As of the 22nd February 2018 companies turning over more than $3 million must report to the Office of the Australian Information Commissioner (OAIC) and any individual affected if personal data are lost, stolen or leaked. Penalties for not doing so can incur substantial fines and/or penalties. For more details on whether or not your company is subject to these laws, please take a look at the subject to the new notifiable data breaches scheme.
How could my data be lost, stolen or leaked?
There are many ways which data can be lost, stolen or leaked, and we’ve listed just a few common methods below.
- A contact form on your website (by default all data is stored and sent without encryption)
- Online checkout form (although payment transactions are encrypted, the user details are stored in your database without encryption)
- Website hack to your database (which is normally not encrypted by default)
So how do you know if data has been leaked, breached or stolen?
A security audit can determine whether or not your site has been hacked or your data is exposed. If you’re using standard/default website software, contact forms, checkout/payment forms than it is best to have your site audited for vulnerabilities. If you’re unsure whether you’re using the standard/default setup or have security measures already in place, you can have this also checked – however it is unlikely to have security measures to be in place if this was not mentioned as a component or add-on to your website.
Here are a couple of audits worth doing if you’re unsure about your website security.
- Website status audit (determine whether or not any security systems are protecting your site, and if not, what systems could/should be implemented)
- Website vulnerability audit (can be run in conjunction with the above – this is to run some test against your website to determine and weak areas where website hacks could be possible)
Implement the base systems at least
Implementing a couple of base systems on your website is the best method for any organisation that is subject to Australia’s new notifiable data breaches scheme. Here at IDM2 we consider the following security measures as a base for any website wanting to minimise the risk of lost, stolen or leaked data.
- Secure checkout, contact and other forms (with encryption)
- Implementing SSL/HTTPS on your website
- Google Re-Captcha to prevent robots/crawlers accessing online forms.