How serious is a data breach?

Privacy and Security
Written By Noni McDonald

O*NO you’ve had a data breach! But is it serious? How do you tell?

Some questions to ask yourself:

  • Are your clients at risk of serious harm as a result of the breach?

  • What could the consequences be for the agent/agency responsible for the breach?

  • Can you prevent serious harm and mitigate consequences with remedial action?

What does a serious data breach look like?

A data breach is serious if unauthorised access, disclosure, or loss of personal information is likely to result in serious harm to an individual, AND remedial action by the entity responsible for the data is unable to prevent the risk of serious harm.

How do you know if serious harm is likely?

What information has been breached and how it was breached will depend on the level of harm to your clients. Work through the possible consequences to your clients if the breach is not contained.

Personal information that is more likely to cause serious harm if breached includes:

  • Health and other sensitive information.

  • Details used to confirm identity, commonly used for identity theft or fraud: passport, licence, or government identifiers.

  • Financial information such as bank account or credit card numbers.

  • Multiple types of personal information breached.

Real Estate agencies hold personal information and bank details for all your clients which puts you at great risk if there were to be a breach. Any breach is likely to bring serious harm to your clients and should be treated as serious.

According to the OAIC, identity information was involved in 30% of data breaches reported last year, financial information was involved in 37%, while health & other sensitive information was involved in 30%. Contact information such as home addresses, phone numbers and emails, were involved in 77% of breaches notified. And while contact details may not seem as likely to cause serious harm, they can be used by scammers to gain more information through phishing or social engineering. So the potential to cause serious harm is certainly there.

Circumstances which indicate a data breach is serious include:

  • Where the people whose data was breached are vulnerable or at particular risk of serious harm

  • Where data is unencrypted or not password protected.

  • Where malicious agents may access the data.

  • If the data has been accessible for a length of time.

  • Large datasets, which are more likely to cause serious harm to at least one individual.

Was the cause of the breach malicious?

Hint: this includes phishing, malware, social engineering, impersonation, theft, and actions of rogue employees.

Malicious attacks are deliberate attempts to exploit vulnerabilities for financial or other strategic gain. It is more likely that whoever receives the information has the intention of causing harm to affected individuals. They would also potentially be more able to hack any security protections on that information.

Considering the nature of the harm that may result will give you an idea if the breach is serious, especially if it includes any of the following:

  • Identity theft

  • Financial or credit fraud

  • Physical threats including family violence

  • Humiliation, harassment, or bullying

  • Loss of business or employment opportunities           

  • Damage to reputation or relationships

Boring legal stuff: This article is general information only and cannot be regarded as legal, financial or accounting advice as it does not take into account your personal circumstances. For tailored advice, please contact us.

Noni McDonald
Previous

What are the consequences for your agency if responsible for a breach?
Next

4 Critical factors when buying a rent roll