McAfee Australia Pty Ltd.’s “State of Privacy Awareness in Australian Organisations” commissioned survey reveals Australian organisations are failing to adequately protect personally identifiable information of customers, in the lead up to significant changes to the Australian Privacy Act
SYDNEY, Australia, 29 April 2013 – A survey of Australian business and government agencies has found that organisations are largely unaware of upcoming changes to the Australian Privacy Act which may result in large fines imposed on organisations and individuals if they are found to have not adequately protected customer data after a data breach.
The “State of Privacy Awareness in Australian Organisations” survey that was commissioned by McAfee in April 2013 has exposed that with less than 10 months until the November 2012 changes to the Act enter into effect, 59 % of employees responsible for managing the personal information of customers were unaware or unsure of these changes. From March 2014, the Australian organisations that will be subject to the amended Privacy Act could be subject to penalties ranging from $340,000 for individuals and $1,700,000 for corporations.
The research also showed that more than one in five (21%) of Australian organisations admitted to having experienced a data breach. When coupled with the lack of awareness of the changes to the Privacy Act, this finding indicates Australian organisations have significant room for improvement.
Also of concern are the behaviours leading to breaches in Australian organisations. For example, 36% of those responsible for managing customer’s personal information in organisations – largely IT managers – stated employees are saving data to fileshare services in the cloud such as Dropbox or YouSendIt.
“These cloud based services lead to a higher chance of a data breach since they can be accessed from the employee’s personal computing devices.” said Joel Camissar, Practice Head Data Protection at McAfee Asia Pacific. “This means that there is little visibility if valuable customer information is leaking out of the organisation.”
Perhaps unsurprisingly, following these concerning findings, the report also found that 47% of those responsible for managing customer’s personal information haven’t received training in the management and storage of sensitive data. In fact, over one third (34%) freely admit that they don’t believe that their organisation manages Personally Identifiable Information (PII) well at all.
“We measured the repercussions most feared by companies when it comes to a data breach. Reputational damage and loss of customer trust are feared far more than monetary penalties or the cost of fixing the breach itself,” said Camissar. “With the growing volume of big data being collected by Australian organisations, the implications for protecting privacy and building customer trust will be more important than ever and could even be leveraged as a competitive advantage. Simply put, good privacy equals good business. With less than 10 months until the changes to the Privacy Act come into play, preparations are clearly needed, immediately.”
Big Business and Government at Risk
Big business did not escape unscathed, either, with the report finding that, in larger organisations (greater than 2000 employees), almost a quarter (24%) have no visibility of Information Classification Policy adherence, versus just 9% of employees in smaller organisations. Interestingly, government organisations were less likely to know whether they have suffered a data breach than corporate businesses. Almost twice as many government respondents interviewed (31%) stated that they were unable to determine if they had suffered a data breach, compared to the average of all respondents (14%).
Instances of Data Breach
While 21% of Australian organisations surveyed were willing to admit experiencing a data breach, an additional 14% also said that they were unsure if they had experienced a data breach, suggesting at least one third of organisations may have been compromised.
Worryingly, within organisations that had admitted to a data breach, 67% of the time a member of senior management or privacy officer was not informed of the breach. Management and privacy officers need not feel left out, however, as 68% of customers and 79% of suppliers were also not informed of such breaches – despite the fact their personal information was compromised.
Interestingly, those organisations that were not aware of changes to the Privacy Act were less likely to encrypt data (49%). This not only displays a lack of information security protocols but puts customer information at risk of being compromised by hackers, careless or disgruntled employees.
What gets lost?
A wide range of data types were lost from the organisations surveyed and, typically, multiple forms of data are compromised in each data breach. The top three types of data lost identified in the research included; customer personal information (48%), Network and Online Application passwords (35%) and Financial Data such as customer credit card details, budgets and supplier information. Despite this, more organisations with 2,000-plus employees believe they manage personal data well (74%) than organisations with less than 2,000 employees (64%).
For more information, access McAfee’s “State of Privacy Awareness in Australian Organisations “ full report or download McAfee’s Building the Case for Privacy brochure here.
About the Research
The “State of Privacy Awareness in Australian Organisations” research is based on 500 online interviews conducted in April 2013 with respondents indicating they are responsible for managing the personal information of customers in an organisation of over 25 employees. Quotas were set for company size and industry vertical.
This sample size gives a confidence level of ± 4.4% at the 95% confidence interval.
Research was conducted by StollzNow Research Pty Ltd – a company accredited with the industry ISO Standard 20252 and member of the employer group, Association of Market and Social Research Organisations.
