Mandatory notifiable data breach reporting: the importance of securing your print and capture environment

Transcription

1 Mandatory notifiable data breach reporting: the importance of securing your print and capture environment An overview of the mandatory notifiable data breach reporting requirements and what you can do to make sure your organisation complies Communications, Inc. All rights reserved.

2 2 Table of contents Introduction... 3 Why the NDB scheme, and why now?... 3 The cornerstones of NDB compliance... 4 Creating a secure document infrastructure with solutions... 5 MFP security... 5 Content screening... 5 Personal information redaction... 5 Support for your entire capture and print workflow... 6 NDB preparedness begins today with... 6 About Communications, Inc...6

3 3 Introduction Managing individuals personal and sensitive information is a key tenet of the government s mandatory notifiable data breaches (NDB) scheme. From 22 February 2018, organisations subject to the Privacy Act must comply with the NDB scheme, which requires organisations to notify individuals affected by a data breach that is likely to result in serious harm. These organisations must also notify the Australian Information Commissioner, the head of the Office of the Australian Information Commissioner (OAIC). 1 The definition of serious harm isn t confined to financial losses; it can include reputational damage or embarrassment, as well as emotional distress. The purpose of the NDB is to empower individuals to protect themselves in the event their personal information has been breached. Businesses should consider NDB compliance not as a burden or nuisance, but as a way to cement relationships with customers and demonstrate a commitment to transparency and honesty. Why the NDB scheme, and why now? is designed to protect Australians from fraudulent use of personal data, which is exponentially on the rise worldwide and in Australia. Recent estimates by the attorney-general s department indicate that identity crime costs Australia more than $1.6 billion each year, with around $900 million lost by individuals through credit card fraud, identity theft, and scams. 2 To comply with the Privacy Act, organisations must ensure their information systems are secure. Data protection should be by design and by default. Organisations are required to obtain consent to store information and promptly notify authorities if a data breach occurs. Individuals must also be able to request access to their information and have their information erased. Business documents represent a security risk when it comes to personal data. More than 60 per cent of customer information is stored in business documents, which means they likely contain personal data such as names and addresses, credit card details, bank account details, and other private information. Controlling documents and the processes involved with the print and capture of information is essential, especially since document workflow data breaches have increased by 49 per cent. 3 Encryption is just one component of a broad security strategy. Organisations must consider monitoring and preventative controls based on the sensitivity of the personal data they collect. Failure to have accountable and provable processes and procedures in place to protect personal data can result in substantial civil penalties Information provided by

4 4 The cornerstones of NDB compliance It s important for organisations to plan now to ensure compliance with the NDB scheme. For many organisations, ensuring compliance will simply be a matter of reviewing and reinforcing existing measures. Others may require a more comprehensive overhaul of their security tools and processes. There are four key steps businesses should take to ensure compliance: 1. Embed a culture of privacy Employees in organisations that value privacy are more likely to be aware of potential security vulnerabilities and take responsibility for keeping information safe. This can include having strong passwords, not sharing information via USBs or with unknown people, and generally treating personal information as a valuable business asset. Collect information that is necessary to do business; don't collect more than you need. 2. Establish robust and effective privacy practices, procedures, and systems Preventing an attack in the first place is more time- and cost-efficient for businesses, plus it avoids the potential reputational damage that can be caused by data breaches. Organisations should therefore implement strong security measures across the organisation. This includes being aware of what data is being collected, where it s being stored, what it s being used for, and who has access to it. 3. Evaluate privacy practices, procedures, and systems to ensure continued effectiveness Data security is not a set-and-forget activity, so organisations must constantly review the security measures in place to ensure they remain effective and appropriate. 4. Enhance your response to privacy issues Organisations need to be proactive in protecting personal information. Doing the bare minimum isn t enough in an environment where cyberattacks are increasing in number and sophistication. Organisations should commit to an ongoing program of education regarding privacy issues, and set a privacy culture that s reinforced from the top down. 4 Many organisations don t clearly understand what personal information is stored where and who has access to it. Implementing solutions in the business to enable a secure document processing, transportation, and storage approach will let the organisation guarantee that documents containing personal information are only stored and transported using secure methods, and copies are kept to a minimum. Businesses need to understand how often paper is left unattended at the printer, how many copies exist of a document, who has copied it, and who has printed it. They can answer these questions by securing the printing device. This includes controlling and tracking what each user can and can t do at a device. Follow-you print services can prevent unauthorised people from accessing documents. 4

5 5 Creating a secure document infrastructure with solutions Organisations need to be ready for individuals requesting access to their personal data. But that could be difficult to provide without organisational awareness or control over personal data storage. After all, a staggering 60 per cent of personal data is stored in paper documents today. 5 document imaging and capture solutions let business capture documentation in protected digital formats and store them in central repositories such as third-party document management systems (DMS). This lets the organisation reduce the number of copies of a document that exist. Having documents in digital format means they ll be transported between users and offices in a secure, encrypted, and protected manner. MFP security Multi-function printers (MFPs) present a significant risk to personal data in many organisations and are a potential liability when it comes to NDB compliance. Because most MFPs are connected to the internet, they offer anonymous off ramps to the outside world that many criminals will try to take advantage of. Data protection at these network endpoints is critical. solutions let organisations restrict access to these devices and control what users can or can t do at each device, including tracking each user s activities. Our solutions provide easy access to a compliant audit trail for monitoring all input and output from devices. solutions also employ data encryption to secure documents throughout business processes and workflow to ensure personal data is protected at rest and in-transit. Content screening Sometimes the greatest exposure to NDB non-compliance is offline when content is being shared between employees and partners. solutions support your efforts by screening documents sent via , printer and copier to ensure no personal data is left exposed. Documents are screened to validate the sender and recipient as well as to search content for keywords, phrases and patterns as well as attributes or barcodes. Documents deemed at risk are quarantined in real time for immediate protection, with notifications to the sender, supervisor and security to ensure any violations or exposures are addressed immediately. Personal information redaction solutions also support NDB compliance by automating personal information redaction. Scanned and printed documents are closely monitored for defined personal data. When identified personal data is automatically redacted to ensure the security of the document and the safety of the customer s information. Redacted content is stored and logged for further monitoring and then sent to the appropriate parties in a secure encrypted workflow. 5 Statistic provided by

6 6 Support for your entire capture and print workflow We know how critical data is to your organisation and that it is used throughout your systems and processes. That s why solutions are designed to integrate seamlessly with capture and print workflows. solutions even extend to personal devices to support mobile workforces. NDB preparedness begins today with The NDB scheme reiterates the importance of preventing security breaches. Preventative security measures help organisations minimise the risk of attack and should be part of the design of any solution related to the processing and management of personal information. With document imaging solutions such as AutoStore and ecopy, documents are securely captured into business workflows and processes, ensuring personal information is used according to the consent given by the subject of the personal data. Gaining control of print and capture workflows ensures that documents only transmitted to locations that are approved and compliant with an organisation s processes under the regulation, and that the use of the workflows is controlled with user permissions, ensuring that only authorised users can process personal information. Implementation requires one or more of the following solutions: Equitrac, SafeCom, Output Manager, AutoStore and/or ecopy. Implementation also requires specific document workflows and devices that utilise these applications or combinations of applications on your network. About Communications, Inc. Communication designs and delivers intuitive technologies that help people live and work more intelligently. We provide the tools to inform, connect, and empower people to be more productive and creative. With our imaging technologies that convert physical documents into searchable digital files, our priority is creating solutions that put people in command. For more information, please visit Copyright 2017 Communications, Inc. All rights reserved., and the logo, are trademarks and/or registered trademarks, of Communications, Inc. or its affiliates in the United States and/or other countries. All other brand and product names are trademarks or registered trademarks of their respective companies. NDI_425 OCT 2017