Life is a breach

When we think of online crime, we think of someone taking money out of our bank account. That is the common illustration of a threat in the world of cyber security. But there is something far more fundamental that is soon going to worry all of us: breach.

We all lead very private lives. Social media is about the images we project, but behind the scenes we don’t reveal our vulnerabilities. Our medical records, our educational accomplishments (or lack of), our bank balances, our tax returns. And what about our shopping habits, our travel plans, our hotel bookings – these are all private. Can you imagine if a hospital computer network is breached and all their patients’ medical conditions are made public. Just think what would happen if everyone’s tax returns suddenly were floating around the Internet.

We all remember that scene in that beautiful film Love Actually, when the late, naughty Alan Rickman bought an expensive gift for his office co-worker, and we remember Emma Thompon’s sadness when she found out – she happened to see her husband sneaking around buying the lavish present for his mistress. But, can you imagine if one could simply look online and see what your partner is spending money on.

I remember one of my first clients back going back about 20 years. It was a big hotel chain. They told me that on Valentine’s Day they have 400% occupancy. Imagine what would happen if they were breached and all these people’s names were suddenly there for everyone to see. The Ashley Madison hack is a case in point: people committed suicide over this.

Laws are coming to punish those companies that don’t behave responsibly. Australia is ahead of the curve on this front. Breach laws are coming into effect this year. A company will legally need to report any data breach to the government, and also, notify their customers that have been affected.

According to the bill, a data breach is classified as an instance where there has been “unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals (the affected individuals), or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure”. It qualifies as an “eligible data breach” when there is a likelihood that the individuals who are affected by the incident are at “risk of serious harm” because their information have been exposed.

In short, if your company has a breach and does not disclose it, and you are get busted, then the guilty company will be hit with massive fines. But this is not the real problem – it is about the people that are affected by having their private data exposed. This is where the real damage could be, and hence why laws are coming to help keep people’s private lives, private.

For a modern day company, university, or any organization that is holding a ton of private, and often, sensitive, data, breach is becoming a big concern, and an item on the executive agenda. This is not something that can be delegated down the chain as a nice to have project to be looked at in someone’s spare time. This is a serious issue. We have all our private information sitting there in databases connected to the Internet, and if a hacker really wanted to cause trouble they could mobilize mass panic in one well-crafted cyber attack.

Today’s connected organizations need to be responsible and they need to put in place the necessary technical steps to be notified of breach, and to do deal with these vulnerabilities as soon as possible. No one can afford to bury their head in the ground on this matter. To end off, imagine if a law firm or one of the accounting giants got hacked – just think of what a breach could lead to when it comes to confidential and private information. Phew!

Breach notification technology and “incident response” is soon going to be mandatory for all connected organizations.