Tag Archives: personal data

Sharing Sensitive Data

Posted on by
Reply

Veritas Technologies, a global leader in data protection, availability and insights, has revealed new research highlighting the dangers of sharing sensitive data by misusing instant messaging and business collaboration tools. In Australia, 66% of employees have admitted to sharing sensitive and business-critical company data using these tools, the survey found.

The Veritas Hidden Threat of Business Collaboration Report polled 12,500 office workers across ten countries, including 1000 in Australia. Shows employees take data out of the businesses’ control that employs them, exposing companies to risk. 53% are saving their own copies of the information they share over IM, while, conversely, 47% of knowledge workers delete it entirely. Either approach could leave companies open to significant fines if regulators ask to see a paper trail.

Sensitive data being shared by employees on these channels includes client information (15%), details on HR issues (10%), contracts (12%), product development information (12%), and even COVID-19 test results (12%).  Just a third of employees suggesting that they hadn’t shared anything that could be compromising. The research also reveals that, while employees use collaboration tools to close deals, process orders and agree on pay raises, many do this despite believing that there will be no formal record of the discussion or agreement. In fact, only 48% thought that the businesses they worked for were saving this information.

According to Geoffrey Coley, Director, Strategy & Architecture, Asia South and Pacific region, at Veritas Technologies, “For many Australians, our entire way of work has been reset since the start of 2020. Companies are rushing to bolster their data protection ways of working to include the platforms where their business is actually being conducted.”

Increased use is compounding issues

The research shows that the challenge is compounded by the amount of time employees are now spending using messaging and collaboration apps.  Time spent on tools such as Zoom and Teams has increased by 21% since the start of the pandemic. This means employees are now spending, on average, 2.3 hours every day on them, with 21% of employees spending more than half their working week on these applications.

A significant amount of business is now being conducted as routine on these channels, and employees are taking agreements as binding. For example, as a result of receiving information over messaging and collaboration tools, 24% of employees have accepted and processed an order, 21% have accepted a reference for a job candidate, and 20% have received a signed version of a contract.

Sensitive data is shared on these tools even though 29% of knowledge workers have been reprimanded by bosses for their use. However, these admonishments may have been in vain as 75% of all workers responding to the survey said that they would share this kind of information in the future.

Geoffrey said: “Getting employees to use ‘approved’ methods of communication and collaboration tools is an uphill battle. Instead, our message is simple: don’t fight it – fix it.”

IM trusted nearly as much as an email

When asked which methods of communication provide the most reliable proof that an agreement is binding, the trust that workers had didn’t appear to be based on the ability of a business to capture the discussion as evidence:

  • Email is viewed as a reliable affirmation of an agreement by 97%, followed by a written letter at 96% and electronic signature a close third at 92%
  • Instant messaging platforms, including Zoom, Slack and Teams, were still trusted by 90%, text by 89% and WhatsApp by 77%
  • 66% even viewed social media as reliable proof that something has been agreed

“Business data is sprawled across different locations. Deals are being done, orders are being processed, and sensitive personnel information is shared through video-conferencing and messaging platforms. It’s now critical for companies to include this rapidly growing volume of data in their protection and compliance envelope.  If they don’t, the implications could be huge,” concluded Geoffrey.

Veritas recommends the following steps for businesses that want to regain control of data being shared over messaging and collaboration tools:
  • Standardise on a set of collaboration and messaging tools that meet the needs of the business – this will limit the sprawl
  • Create a policy for information sharing – this will help control the sharing of sensitive information
  • Train all employees on the procedures and tools that are being deployed – this will help to reduce accidental policy breaches
  • Incorporate the data sets from collaboration and messaging tools into the businesses’ data management strategy using eDiscovery and SaaS data backup solutions – this will empower users to make the most of the tools without putting the business at risk

For more information on sharing sensitive data see Small Business Answers guide on Internet Security protects from cyber threat

Methodology

Research conducted and statistics compiled for Veritas Technologies LLC by 3Gem. A total of 12,500 office workers who used communications channels as part of their job were interviewed between 23 November – 8 December 2020 in Australia, Brazil, China, France, Germany, Singapore, South Korea, UAE, United Kingdom and the United States.

Privacy and Protecting Personal Data

Posted on by
Reply

It may seem harmless that in the process of doing business you collect customer data to transact business or communicate with them.  However, if that data is used without the user’s permission, or worse stolen, you may find yourself breaking the law. This guide will help you understand Privacy and Protecting Personal Data and what you should or must do.

Data protection is to secure data against unauthorised access. Data privacy is about authorised access — who has it and what you can do with it. Data protection is essentially a technical issue, whereas data privacy is a legal one.

WHY should I protect my customers’ personal data?

Apart from the fact that a customer will not be very happy with you, it is the law. You must comply with the Australian government Privacy Act 1988 if your annual turnover exceeds $3 million.

You are responsible for protecting your customers’ personal information from:
  • theft
  • loss
  • unauthorised access
  • modification
  • interference
  • misuse
  • disclosure
If your small business turns over less than $3 million you must comply with the act if you are a:
  • private-sector health service provider
  • business that sells or purchases personal information
  • contractor providing services under a contract with the Australian Government
  • credit provider/credit reporting body
  • residential tenancy database operator

All other small business operators are exempt from the Act however protecting your customer’s data is good business practice.

WHAT types of information are considered private?

Any information that can identify a person and could include:

  • name
  • signature
  • address
  • email
  • telephone number
  • date of birth
  • medical records
  • bank account details
  • place of work
  • photos
  • videos
  • information about their opinions

If you do have a breach of personal information you need to notify both the person it has affected and the Office of the Australian Information Commissioner (OAIC).

HOW do I protect customers personal information?

The following actions will assist with your compliance of the Privacy Act:

  1. Do not collect personal information you do not need
  2. Develop an internal policy to handle and process personal information
  3. Take ownership yourself or delegate to a senior member of staff
  4. Do not share this data with anyone else
  5. Sensitive information like race, religion, health etc can only be collected with individual consent
  6. Ensure unauthorised staff members do not have access
  7. Take reasonable steps to protect personal information from unauthorised access, modification, or disclosure and against misuse, interference, and loss
  8. Destroy or de-identify personal information when it is no longer needed
  9. Develop a plan for a data breach

HINTS

If processing credit card transactions by EFTPOS or e-commerce store you should ensure your network/equipment is secure and encrypted. You should restrict who has access to that data and preferably do not store the card information. A security assessment of cardholder data can be done here.

If you plan to contact customers via direct marketing like an email, phone call or text, post, social media or web advertising you should enable a customer to opt-out (request not to be communicated with).  If the Privacy Act covers your organisation (> $3m turnover) legally you are required to allow a customer to opt-out.

Australian privacy law gives a consumer the right to access their personal information. This includes their health information. This right does not extend to commercial information.

Be sure to read our guide on internet security.

Additional information on privacy and protecting personal data can be found here.

SUMMARY – Privacy and Protecting Personal Data

If your small business has a turnover less than $3 million it is unlikely you will have a legal requirement however for both your customer and your sake it is good practice. If possible don’t keep personal data like credit card details but if you do, ensure it is protected from theft or abuse. It is worth familiarising yourself with the intent of the Privacy Act and taking the necessary actions in your business.