Data security breaches continue to pose real threats to organizations, and with incidents continuing to trend upward, 2023 will likely be another record-breaking year for data security intrusions. The vast majority are preventable with the adoption of basic security practices, and a robust information cybersecurity program, which is now more than ever a vital component of an information governance (IG) and records and information management (RIM) program.

Unfortunately, it is often the case that executives, IG/RIM professionals, and other vital stakeholders are too far removed from cybersecurity processes and initiatives to devote the attention and funding that they require. This paradigm is quickly shifting, however, as information security is increasingly coming to the forefront of organizational priorities.

Join Rick Surber and Jennifer Chadband, senior analysts from Zasio’s consulting division, along with guest presenters Elizabeth Khan and Dr. Sin Ming Loo for a webinar that bridges this divide by providing an overview of modern cybersecurity best practices and standards along with actionable steps to shore up your organization’s security, while providing practical and regulatory context relevant to the RIM/IG industry. Don’t miss Zasio’s first Virtual Coffee with Consulting session of the year!

*Our Guest Presenters

Dr. S. M. Loo is the Cyber Operations and Resilience (CORe) program director. He leads the effort in offering asynchronous online cyber operations and resilience programs. He is also a professor of Electrical and Computer Engineering at Boise State University. He holds a joint appointment with Idaho National Laboratory.

Elizabeth Khan, M.S. CORE, ESC2 Certified in Cybersecurity is a successful entrepreneur. Elizabeth has launched, operated, and sold numerous successful domestic and international ventures in a wide array of forums, including talent consulting, professional research, and regulatory compliance.

She has relied upon intricate communication, networking, and organizational skills, as well as her training and education in sales and marketing, to grow and advance each of those endeavors. Recently, Elizabeth has expanded into the field of cybersecurity with a focus on governance, risk, and compliance having attained a master’s degree and various cybersecurity industry certifications and credentials. In addition to private consulting, Elizabeth works as a security auditor for a large healthcare organization and also freelances as an instructor for Boise State University’s Cyber Operations and Resilience program.

The post Virtual Coffee with Consulting: Cybersecurity – The Mile-High View for Records and Information Management Professionals appeared first on Zasio.

Two massive data breaches exposing the personal information of millions of Australians rocked the country—one in September and another in October— prompting Australia’s parliament to swiftly respond with dramatic increases to penalties allowable under its Privacy Act.

In September, telecom company Optus made public news of a cyber-attack that had compromised its customers’ data—9.8 million customers, to be more precise.[i] The data included names, addresses, phone numbers, and dates of birth. For some customers, more sensitive information was exposed that included driver’s license, passport, and even Medicare ID numbers.[1] Fortunately, for Optus and its customers—active and inactive—no login credentials or credit card details were exposed.

Optus initially described the breach as a sophisticated hack,[ii] though Australian officials have been publicly critical of this claim.[iii] Such skepticism may be partially due to a statement by the hacker claiming responsibility that the data was accessed through an API that was open to the internet, and with no authentication credentials needed for access.[iv]

The alleged hacker ultimately released the personal information of around 10,000 individuals to a forum frequented by the less reputable side of the internet. Oddly enough, the hacker then apologized several days later and removed the data, although this was too late to prevent others from copying and continuing to distribute it on some shadier parts of the web.[v] There’s still a risk the remaining data could be sold—although the hacker claims to have deleted their only copy—and many Australians have already obtained replacement identification, placed credit holds, and taken other measures to protect themselves.

Breach No. 2

Not to be outdone, hackers responsible for the October breach accessed and stole the data of 9.7 million customers from Medibank, an Australian health insurer. Current reports indicate the breach may have occurred using stolen credentials from someone with high-level access at the company. These credentials were used to access its systems and create backdoors through which the data was exfiltrated.[vi]

Medibank alerted the public in October of a cyber security incident but claimed it had seen no evidence customer records had been accessed or removed[vii] —a positive outlook that was quickly crushed when hackers contacted the insurer to demand payment to prevent their release of the stolen data. The hackers then began releasing samples of the information and continued to pressure Medibank to pay a ransom.[viii]

Citing expert advice that any ransom payment would likely not prevent the data’s release and would encourage further attacks, Medibank refused to pay.[ix] Subsequently, the hackers released all of the stolen raw data in dumps to the dark web.[x] Although Australians were again spared from having their login credentials and payment details exposed, the breach included health claims data for hundreds of thousands of individuals, including diagnosis and treatment codes.

Adding to the headache suffered by the millions of impacted Australians, scams using the Optus and Medibank breach responses as a pretense to steal more sensitive information have exploded. These show no sign of stopping anytime soon.

The massive scale of the breaches, coupled with a lack of personal information safeguards and the public’s ire appears to have given Australia’s parliament momentum to pass amendments to the country’s Privacy Act. The legislation made it through both houses of parliament in just over a month and became law on Dec. 13, 2022. The amendment contains a drastic penalty, which is sure to haunt the nightmares of businesses across Australia.

Privacy Act Penalty Increases

Previous penalties for “serious and repeated interferences with privacy” maxed out at about $2.2 million AUD; however, that’s only if a court imposes a provision of the Crimes Act that allows penalties against a corporate body up to five times the maximum penalties allowed against a natural person. For natural persons, the prior penalties maxed out at about $444,000 AUD.

Under the new law, natural persons may be fined up to $2.5 million AUD. Corporate bodies are subject to MUCH steeper penalties, which can reach $50 million AUD or more.

Unfortunately, for those looking for a comeuppance for Optus and Medibank, the new penalty provisions will only apply to violations that happen after the amendments went into effect.

Other Changes to Australia’s Privacy Act

The amendments also broaden the powers Australia’s information commissioner has to obtain information and documents relating to data breaches, as well as provide broader information-sharing abilities between government authorities to facilitate better data breach responses.

It is unlikely that changes to the Privacy Act will stop there with amendments, though. The Australian attorney general has been conducting a review of the law since 2019, with a final report due by the end of 2022. The impact of the two breaches is likely to add support for any further recommended changes, particularly if they relate to enforcement or data subject rights. The breaches may also prompt support for the addition of a private right of action for individuals damaged by a failure to protect their personal data.

Conclusion

Australia’s privacy law has and may continue to see some significant changes, and businesses subject to it would be well served to take stock and ensure their own privacy practices and policies are defensible, practical, and compliant.

[1] Medicare is Australia’s publicly-funded universal health care insurance system.

[i] Optus “Latest updates & support on our cyber response” https://www.optus.com.au/support/cyberresponse/#latest

[ii] Sydney Morning Herald “’Sophisticated attack’: Optus hackers used European addresses, could be state-linked”, September 23, 2022

https://www.smh.com.au/technology/sophisticated-attack-optus-hackers-used-european-addresses-could-be-state-linked-20220923-p5bkfn.html

[iii] Ibid.

[iv] iSMG “Optus Under $1 Million Extortion Threat in Data Breach” Jeremy Kirk, September 25, 2022 https://www.bankinfosecurity.com/optus-under-1-million-extortion-threat-in-data-breach-a-20142

[v] The Guardian “Alleged Optus hacker apologizes for data breach and drops ransom threat” September 27, 2022

https://www.theguardian.com/business/2022/sep/27/alleged-optus-hacker-apologises-for-data-breach-and-drops-ransom-threat

[vi] Australian Financial Review “Revealed: how crooks got inside Medibank” October 24, 2022

https://www.afr.com/technology/revealed-how-crooks-got-inside-medibank-20221024-p5bsg4

[vii] Medibank “Cyber event timeline”, Update at 11 a.m., Thursday, 13 October, Update at 10:30 a.m., Friday 14 October, and Update at 9:30 a.m., Monday 17 October.

https://www.medibank.com.au/health-insurance/info/cyber-security/timeline/

[viii] “Cyber Security Hub “IOTW: Everything we know about the Medibank data leak” November 10, 2022

https://www.cshub.com/attacks/news/iotw-everything-we-know-about-the-medibank-data-leak

[ix] Medibank “Cyber event timeline”, Update at 9 a.m., Monday 7 November

https://www.medibank.com.au/health-insurance/info/cyber-security/timeline/

[x] Id., at Update, Thursday 1 December

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Recent Data Breaches Prompt Big Changes in Australian Privacy Penalties appeared first on Zasio.

It occurred to me that organizations have a similar hoarding problem when it comes to documents, which is amplified by the number of employees who keep copies and versions regardless of what kind of archival tools or records retention program is in place. After putting hours of effort and consideration working on, let’s say, a 35-page assessment and formal proposal, you can bet that most folks tuck an extra copy away on their hard drive or a file share somewhere…and probably print out a paper copy too, just to be safe.

Employees often have hoarder’s mindset, keeping copies and versions regardless of what kind of archival tools or records retention program is in place.

Sense of Ownership

That sense of ownership and the desire to avoid reinventing the wheel makes perfect sense, but all those hoarded documents have a downside because the information can pose an unseen risk to the organization. And the liability grows when people have a “keep everything” approach to records management, especially as the volume, velocity, and variety of content that every organization must manage continues to grow and evolve in this age of Digital Transformation.

Just Keep Everything

While digital transformation may seem like it’s all about collecting more and more data, the truth is not all data is good data and there is a great deal of liability for the company when it over-retains. For example, not having visibility into what an employee saves is a cause for concern, because you don’t know what type of information is being preserved by the employee and whether or not it falls within a proper retention schedule. And if they are holding onto a record for a longer period of time than they need to – regardless of the company retention policy – that information is still subject to disclosure through discovery, or any type of compliance audit, or other types of regulatory and legal proceedings.

You Don’t Know What You Don’t Know

Information security and data loss prevention (DLP) is also a pressing matter, especially as the number of cyber incidents continues to rise. If documents are hoarded by employees, organizations lack visibility into critical facts such as what is being over-retained, where it is being stored, who has access rights, and the appropriateness of the security applied to the content. If past incidents played out before the public is any indication, the hidden information represents a treasure trove of data for hackers looking for security loopholes.

Costs and Risks

The costs and risks are substantial, including fines for over-retention of certain documents and information (e.g., personal data). There are litigation costs that come into play through e-discovery, and very real exposure in court by virtue of what you are now compelled to disclose. Additionally, the harm to the organization’s reputation, loss of public trust, and impact on current and future business opportunities cannot be discounted.

Best Practices

It’s one thing to point out a problem and another to do something about it. Here are three best practices to consider:

Communication

The first step is communication and putting records management top of mind with every employee. It is important to set the expectation that everyone will follow through with the retention schedule and preserve documents according to the records management and other related corporate policies and guidelines. It is important to review corporate policies and guidelines from different departments (e.g., information security, IT, privacy, etc.) and assure alignment to address potentially conflicting information.

Training

Next step is training; not just at the time of new employee onboarding, but continuous refreshers along the course of the employees’ time at the company. As records management is reiterated and encouraged the tendency to hoard tends to fade from the mindset of the employees as it becomes second nature in the execution of their everyday tasks.

Make it Easy

Let’s face it, if the systems and procedures to properly save and archive records are hard to use, and people are not comfortable using and trusting the system, they will simply revert back to their old hoarding habits. Make it easy by using an automated process and reducing the number of steps for employees to follow where possible.

Moving Forward

When it comes to information governance and successful adoption, the focus needs to extend beyond just the technology and account for work culture and employees’ mindset. You can change that hoarding mentality through awareness, common-sense training, and implementing systems that make it easier for employees to comply with the organization’s information governance policies and guidelines.

For more information or to see how our Versatile technology solutions and consulting services can help manage and protect your records and ensure you comply with legal retention requirements, please fill out our Contact Form.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Tips to Prevent Hoarding of Documents appeared first on Zasio.

In any organization there is overlooked information that is never noticed and no one ever thinks about it. It includes, among other things, information captured in an image archive or document management repository, or it could be data housed in ERP systems, collaborative workflow platforms or any number of line-of-business databases. Even copiers and scanners hold cached images you may not know about. Things like social security numbers, financial and medical account details, addresses and phone numbers, are all found in these repositories, yet that information can be overlooked or hidden from view; especially as the volume, velocity and variety of information that must be managed continues to grow at unprecedented rates. This information can represent a treasure trove of opportunity for data hackers and cyber-thieves looking to steal sensitive and private data.

Can Your C-Suite Sleep at Night?

Data security and compliance are on the minds of C-suite leaders in all industries and it’s easy to lose sleep at night. It seems like every week there is yet another high-profile data security breach, and some of the world’s most tech-savvy companies are falling victim. Indeed, just recently Facebook, already facing scrutiny over how it handles the private information of its users, disclosed that an attack on its computer network exposed the personal information of nearly 50 million users. Some of the biggest victims in 2018 include T-Mobile, Quora, Google, and Marriott hotels, which recently revealed that hackers had accessed the information of an estimated 500 million customers.

At the same time, data protection regulations around the world are becoming increasingly strict. One prominent example is the General Data Protection Regulation (GDPR) that went into effect in Europe last year. The GDPR is an overarching data protection law that applies to all European Union residents and is designed to make companies more accountable for the way they process personal data. While the rule is European in scope, it influences compliance and liability for any organization dealing with the personal data of EU citizens.

For the first time, information security and compliance has entered the top three drivers for digital transformation..

Driver for Digital Transformation

For these reasons, data security and compliance are increasing drivers to organizational spending on digital transformation. In one AIIM International industry research report, “Governance and Compliance: A Real-World View,” organizations were asked to rank the top drivers for digital technology investment in their company. Improved process productivity (42%) and faster response (30%) remain at the top of common objectives, but for the first time information security and compliance has entered the top three drivers for digital transformation.

Costly Breaches

Is your organization at risk? Yes. Experts tell us that it’s not a matter of if your organization will be hacked, but when, and the chances that your organization will suffer a data breach this year are one in four. As the frequency of cyber-theft continues to grow, so too are the associated costs. One report from the Ponemon Institute reported that the global average cost of a data breach is up 6.4 percent over the previous year to $3.86 million. The average cost for each lost or stolen record containing sensitive and confidential information also increased by 4.8 percent year over year to $148. The direct costs include hiring experts to fix the breach, investigating the cause, setting up hotlines for customers and offering credit monitoring for victims.

The real impact, however, is found in the business that is lost and damaged goodwill in the market – both customers and Wall Street are wary after a breach. One good example is the archetypal breach at Target in December 2013, just weeks before the year-end holidays, which put the company in a tailspin. Five years later, the company still faces a number of government investigations and more than 80 lawsuits. Target incurred $61 million in costs associated directly with the incident at the time, but the total expense to the company is estimated to be between $500 million and $1 billion — and that’s on top of any sales lost as a result of customers avoiding its stores after the breach.

Tools to Battle Cyber-Theft

At Zasio, we’ve built some important tools to help battle cyber-theft, starting with Versatile Enterprise™, a complete records management solution that allows users to manage all corporate records (physical and electronic) in one system, and then apply consistent retention policies to those records. The system works in the background to automatically calculate disposition dates (or suspend them for retention holds) of relevant records according to retention schedules, and will notify you when they are ready for transfer or destruction. Versatile Retention™ is our application in which users can research retention and privacy laws, create and maintain up-to-date retention schedules that protect the security and efficacy of important, private and sensitive information.

Experts tell us that the chances that your organization will suffer a data breach in 2019 are 1 in 4.

It’s Not Always about Collecting More Data

The specter of security and compliance demands greater levels of information governance. And it’s not always about collecting more data…sometimes you need to get rid of data that is no longer providing value but may represent a great risk to the organization. That is where strategic records retention policies and practices make a real difference in reducing risk to your organization. Consider these aspects as you design your strategies. Look for tools like Versatile Retention and Versatile Enterprise that allow you to take the right actions to properly secure and protect private information.

Unsure if your company’s data security is where it should be? Talk to our experts! Contact us today for a free demo or assessment.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Is Redundant, Obsolete and Hidden Data Putting your Organization at Risk? appeared first on Zasio.

It’s almost Halloween, that time of year when many of us enjoy a good scare. However, one kind of fright no company wants to wake up to is the dark, dreaded monster of noncompliance. We often discuss household names when they face sanctions after information governance nightmares. Think the 2016 hack of Sony Pictures, the 2018 Facebook/Cambridge Analytic scandal, and the 2017 data breach at Equifax. However, it can and does happen even when we don’t hear about it. Let’s take a look at some recent thrillers in the realm of information governance.

Tales from an Email Inbox

In the 2017 ruling of GN Netcom, Inc. v. Plantronics, Inc., an executive at Plantronics deleted nearly half of his emails even though the company had issued a legal hold on all documentation pending litigation. He also instructed other employees to delete emails relevant to the lawsuit. The court found that Plantronics itself didn’t take reasonable steps to recover the emails. The result was a horrific $3 million sanction.

The Lost Data Server

In another 2017 ruling, Welfare Plan Bd. of Trustees et al. v. Connecticut General Life. Ins. Co et al., the defendant’s electronic records were transferred to a third party when their sister company (which owned the defendant’s data server) was sold. Though the sales contract required the third party to maintain the data, it simply didn’t happen. They deleted the electronic records the defendant had a duty to maintain. The defendant was ordered to pay all expert witness fees, attorney fees, and other plaintiff’s costs, in addition to imposed sanctions. Talk about chilling.

The Vanishing (Paper Records)

In a 2016 ruling in the case of O’Berry v. Turner, after a traffic accident, the plaintiff requested the defendant preserve driver logs. The defendant did so by printing a copy of the electronic records. Unfortunately, after a seemingly innocent office move, the paper records disappeared. For the defendant’s part, they had a couple of problems working against them. First, they should have consulted with an expert in records retention. If they had, they would have known the amount of time they were required to retain the records, as well as the best way to go about it. Eerily enough, the paper records were never seen again, and the defendant was hit with heavy sanctions.

Phantom Texts

In another 2016 ruling in the case of First Financial Security, Inc. v Freedom Equity Group, LLC, the plaintiff was ordered to produce text message relevant to the case at hand, but they, unfortunately, couldn’t comply. An employee involved in the case claimed his son deleted the messages to free up space on his phone. Rather than producing “native copies” of the text messages as ordered, they produced a spreadsheet, which did not suffice. The haunting result was 1.2 million dollars in damages awarded to the plaintiff.

Conclusion

As electronic records become more prevalent, it’s important to think about the frightening consequences of not complying with the laws and regulations that apply to your business. It’s crucial you have someone on your side that can guide your record retention schedule policy so you can best balance your business needs with your legal obligations. You don’t want to end up in a terrifying information governance horror of your creation.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Spooky Tales of Information Governance Noncompliance appeared first on Zasio.

Many companies started looking at their own system’s weaknesses after learning about the recent Uber data breach. No one wants to be the next data breach headline. This kind of news can make people long for the days when records retention was simpler and paper-based documents meant data protection wasn’t always part of the daily routine. Some may even wonder whether the benefits of personal data protection outweigh the administrative burden of returning to hard-copy records. [1] But did you know that low-tech data can be just as easy, if not easier, to breach?

How do data protection laws apply to hard-copy records?

Cyber-security is on the front-lines of the personal data battle, but it’s just part of the equation. Careless retention of hard-copy records that contain personal information can also result in a data breach. Careless retention can affect both small and large organizations and those with domestic or international connections. Many companies moved from hard-copy records to digital records. Digital records are a more efficient and “greener” system. However, overlooking hard-copy documents can leave companies open to personal data attacks and heavy sanctions.

While some data protection laws define “personal information” in detail, most are purposely vague. For example, Serbia’s Law on Personal Data Protection defines personal information as “any information relating to a natural person, regardless of the form of its presentation or the medium used (paper, tape, film, electronic media etc.).[2] The EU’s General Data Protection Regulation (GDPR) has its own definition of “personal data.” In fact, it makes no reference to the medium of the personal data.[3] However, the GDPR’s definition of a “personal data breach” covers the low-tech, minor data breaches and doesn’t even mention the medium of the data. The GDPR states that a personal data breach is, “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.”[4] The lack of clarity in the law can be costly for businesses. They could face high sanctions for what seems like a trivial loss of hard-copy records.

What are some differences for hard-copy data protection requirements?

Most data protection laws have broad requirements for both electronic and hard-copy personal information. However, some laws are more specific about the difference between physical documents and digital information.

Many data protection laws carry records-handling requirements that explain how to store, destroy, or protect hard-copy records that contain personal information. For example, the Netherlands AFM Compliance Regulations specifies that businesses must store physical data in a fireproof safe and digital data must be “safeguarded by technical access security systems.”[5]

Different laws carry different requirements. Zasio can teach you how to protect your data based on the laws that affect your business. We can also clarify other records retention requirements for you. Call us today.

[1] Draft PCI/S Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments, 5.3.3.

[2] Serbia Law on Personal Data Protection, RS Official Gazette Nos. 97/2008 and 104/2009, Article 3 (1).

[3] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), Article 4 (1).

[4] Id. at Article 4 (12).

[5]  Dutch Authority for the Financial Markets Compliance Regulations, Regulations about handling inside information, Appendix 4 (Data Security).

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

The post Hard-Copy Files in a Digital World appeared first on Zasio.

Author: Frank Fazzio, IGP, CRM

Analyst / Licensed Attorney

The post Data Breach Living Wills: Information Theft Response and Recovery Plans appeared first on Zasio.

Author: Jennifer Chadband, IGP, CRM, ECMp

Senior Analyst / Licensed Attorney

The post Identifying Personally Identifiable Information appeared first on Zasio.