Reducing Privacy Risk As You Grow: Business Lessons from the Services NSW Data Breach

Last year, Services NSW suffered data breaches that exposed the personal information of more than 100,000 of its clients. Passport details, Medicare numbers, and licence details were amongst the data stolen. Since the breach, the Auditor-General of NSW (the AG) has released a detailed report regarding the incidents, including 8 recommendations. Interestingly, the agency’s growth was highlighted as an exacerbating factor of privacy risk. In this blog post, we explore how the AG’s recommendations can be used to inform better data management in growing businesses: 

The Services NSW Data Breach: What Happened? 

In March 2020, Services NSW was the target of two separate cyberattacks which resulted in the unauthorised access of a large volume of personal customer information. In both instances, hackers gained access to the email accounts of staff members via phishing. 

Phishing is a method whereby malicious actors attempt to gather personal information using deceptive emails and websites. The goal is to trick the recipient of the deceptive email into clicking a link or downloading an attachment, ultimately allowing the hackers access to user accounts.  Successful phishing attacks are considered an example of human error in cybersecurity. You can read more about phishing in this CSO article. 

Once the hackers had access to the staff email accounts, they were able to access copies of documents containing personal information that had been scanned and sent to staff email accounts.  

“Service NSW’s significant and rapid growth has outpaced the establishment of a robust control environment which has exacerbated privacy risks”. – Audit Office of NSW 

The AG’s Recommendations for Better Privacy Practices at Services NSW 

The AG made 8 recommendations for Services NSW following the data breach. They were, in essence: 

1. Develop and implement secure data transfer mechanisms. (Here’s our quick guide to safely transferring files.) 
2. Reconsider current data storage processes to minimise the volume of stored personal data and to keep the stored personal data more securely. (Read more about data minimisation in practice here.) 
3. Ensure future agreements with third-party agencies transparently discuss data collection, use, and storage practices, as well as data breach notification processes.  
4. Review current privacy management, including increasing understanding of privacy obligations and ensuring continuous review of privacy programs.  
5. Review existing policies and processes to identify and manage privacy risk, including ensuring that there are action plans to address strategic privacy risks.  
6. Develop more secure IT controls for customer relationship management platforms and related systems that hold personal information, including implementing internal access control and requiring multi factor authentication.  
7. Review and revise existing agreements relating to data collection, use, and storage to ensure adequate data security and transparent data practices.  
8. Undertake a privacy impact assessment for any processes, systems, and transactions that involve the handling of personal information.  

You can read the complete report by the AG here: https://www.audit.nsw.gov.au/our-work/reports/service-nsws-handling-of-personal-information  

The 2 Biggest Business Lessons from the Services NSW Incidents 

Continuous Training for Your Staff is Crucial in Minimising Organisational Privacy Risk. 

A major business lesson here is that seemingly benign practices can pose serious privacy risks, especially where staff members are not aware of and vigilant against potential privacy threats.  

Your staff represent your single largest privacy risk. Robust cybersecurity mechanisms are essential, but they are less meaningful if your staff aren’t well trained too.  

We would argue that you staff pose an increased risk during periods of rapid growth. Privacy training often falls to the wayside or is overlooked during busy periods. This risk is compounded by the fact that businesses don’t tend to assess privacy awareness during staff onboarding and orientation. Moreover, processes that promote basic privacy hygiene tend to be overlooked or ignored as organisations become busier. In both cases, untrained or under-trained staff significantly increase the privacy risk faced by your organisation.  

Implementing Privacy by Design is Non-Negotiable.  

The recommendations outlined by the AG do broadly apply to all businesses today. But they should be considered within the context of the Privacy by Design (PbD) framework. PbD involves building privacy into decision making, as well as operational processes and information systems.  

The 7 principles of PbD are (as outlined by the AG in the report):  

1. Proactive not reactive, preventative not remedial. 
2. Privacy as a default setting. 
3. Privacy embedded into design. 
4. Full functionality: positive sum not zero sum. 
5. End to end security – full lifecycle protection. 
6. Visibility and transparency – keep it open. 
7. Respect for user privacy – keep it user centric. 

Better Privacy with Privacy 108 

If your organisational privacy isn’t maturing as quickly as your company, now is the time to act. Privacy 108 works with growing organisations to develop future-proof privacy risk management strategies and robust IT protections.  

Privacy 108 can help: 

• Develop a privacy improvement strategy for your organisation, to help address privacy risks and improve the maturity of your privacy program; 
• Conduct privacy impact assessments; 

• Develop and delivery privacy and security awareness training, targeted at your organisation’s requirements; 
• Work with your privacy team to develop their expertise; 
• Provide you with resources to help supplement your existing team. 

Contact us to find out how your organisation could benefit from better privacy practices.