Our Blog

02

Jul

The party may be over for PageUp, but how long will the hangover last?

I recently received an email from a major corporate organisation, advising me that my personal data may have been breached. Not by them, and not by me. That organisation used the services of Melbourne-based PageUp People to manage its recruitment processes. 

PageUp collects and processes personal information such as names, addresses, phone numbers and much more – everything you’d supply when applying for a job with a major corporate organisation. I provided my information when I applied for a job at that organisation – and I’d completely forgotten about it.

Around the end of May 2018, PageUp detected “unauthorised activity” in its computer systems. PageUp acted promptly in declaring the data breach and has engaged security experts to help resolve the situation.

Prior to the introduction of the Notifiable Data Breaches scheme (NDB) in Australia on February 22nd, some organisations might have sat quietly on bad news of this nature, but, with some 55 breaches declared in the latest quarterly statistics from the Office of the Information Commissioner, it does seem that transparency and openness have been improved.

Unfortunately, in situations like this, the damage is done. Regardless of what information has been accessed, and how it might subsequently be used, an incident of this nature is not just a breach of security, but of the confidence and trust of clients, past, present and future.

In the PageUp situation, major corporate clients have warned prospective job applicants about the breach with some suspending use of the service. Somewhat ironically, the email provided a link to Scamwatch, so that I can “protect my personal data” – even though I wasn’t the one that lost it!

Meanwhile, for PageUp, the “Consulting Clock” has started ticking. We will probably never know exactly how much it costs PageUp to resolve this, but we have a reasonable starting point, with the average cost of data breach per organisation estimated to be around USD $3.6m.

There’s potentially worse news to come. Unless you’ve been living under a digital rock, you’ll have heard about the European General Data Protection Regulations (“GDPR”) introduced in May, 2018, and the obligations placed upon organisations to protect personal information under that legislation, and the rights of people to have access to that information, and to have it amended, or deleted.

In Australia, the right to access and correct personal information was introduced in the Australian Privacy Act 1988 (Cth) (“APP”). So, it’s safe to assume that we’re becoming increasingly better informed about our rights to access our own information than ever before, and that we’ll start exercising them, as situations like PageUp People continue to be exposed under the NDB spotlight.

The business process around assessing, collecting, cleansing and providing information will, for many organisations be complex, time-consuming and expensive and it will not scale well. According to the International Association of Privacy Professionals (IAPP), subject access requests were among the top three most difficult GDPR obligations for those surveyed, specifically, data portability, followed by right-to-be-forgotten requests and gathering explicit consent.

Let’s have a think about that for a moment. Let’s make a few assumptions, just for calculations: your organisation collects and/or processes PII belonging to 100,000 individuals. Of those, say 1% decide to exercise their new rights, under GDPR or Australian Privacy Law, and request a copy of their PII stored by your organisation. That information is stored across a typical range of systems including marketing, sales, fulfilment and support, plus maybe a shared content repository for contracts etc. How long would it take, and how much would it cost, for someone to collate all of that information, redact it and provide it back to the requestor? Or to remove it, on request, or both?

The ideal solution will be a blend of good process, competent and skilled people, and appropriate technology. Let’s break these down and take a look at what’s involved.

Process

From the moment a subject access request is received, the clock starts ticking. You’ll have one month to respond to the request. Given that “personally identifiable information” could include anything from job application data through to phone call recordings or CCTV footage, the amount of information to collect could be considerable.

A helpful approach to this situation is to understand where PII is stored, and what business processes cause it to be stored in those places. An initial data flow and process mapping exercise could provide this information and act as a guide for the collection process.

When providing PII, you’ll want to make sure you’re not compromising the privacy of other individuals, so some sort of cleansing or redaction process may be necessary. On top of all of this, you’ll likely need governance and management processes, to ensure that the process is completed within quality, time and cost parameters.

People

Potentially, many different roles could be required to play a part in a subject access request. For example, system administrators or owners, information architects, security officers, legal counsel and project managers. All of these people will need to know what they’re supposed to achieve, understand the parameters within which they will perform the work, and have the necessary skills and competencies to undertake the work.

A training programme may be needed, to ensure that the request is met within the obligations of the law (whether European or Australian).

Technology

The right technology can help the process to scale and reduce business risk. For example, the business processes that you’ll need to follow might lend themselves to automation. You may already be using products such as Nintex elsewhere in your business, which could be used to automate your subject access process.

Online forms could be used for entering information about the request, workflow software could automate the review and approval components and potentially retrieve the information from information stores (such as your CRM, email or document management systems) using connectors, and automatically generate documents with that information.

Although some investment will be required to build this capability, the return on investment and total cost of ownership can reliably calculated, especially when combined with workflow analytics.

Additionally, there’s a strong advantage for those organisations using Microsoft Microsoft 365. The cloud-based Microsoft 365 brings together several Microsoft services and products: Office 365, Windows 10, and Enterprise Mobility + Security.

There’s considerable complexity, and overlap, in the security and compliance elements available, and these will differ according to your license type. Although a detailed “how to” discussion is beyond the scope of this blog, let’s take a very high-level look at how Microsoft 365 could support your compliance obligations.

Assessment – what information do we have, where is it, who has access to it?

Microsoft 365 provides tools for scanning, classifying and reporting on your content, whether it’s “on-premises” (your own data centre) or in other others systems such as Box, Dropbox, Google etc.

Information Protection – now we’ve identified it, how do we protect it?

Microsoft 365 provides tools for protecting your information even when it leaves the organisation.

Security – how do we keep the bad guys out?

Microsoft 365 provides a secure cloud platform, assessed and certified by government security agencies, plus tools for monitoring and scoring security configuration.

Compliance data access requests – how do we service requests for PII data?

Microsoft 365 provides tools for discovering, managing and reporting on information on a per-case basis.

Compliance Monitoring – how do we ensure continuing compliance?

Microsoft 365 provides tools for scoring and monitoring your compliance with various regulations, including HIPAA, PCI and GDPR.

After thoughts

Of course, most organisations’ information network will spread well beyond the remit of Microsoft 365, including on-premises systems such as file shares, databases, business systems and so on. And the complexity of that information network will likely be considerable.

Nevertheless, if you have obligations, you must meet them, or risk facing penalties. Regardless of how big and complex the problem is, approach it as you would eat an elephant – one bite at a time.

Start with mapping out your information stores and data flows. AvePoint’s excellent Privacy Impact Assessment tool is endorsed by the IAPP and is a good place to start, and it’s free. As your assessment and remediation project progresses, AvePoint has other compliance tools to provide broader reach and depth.

This has been a hugely simplified summary of a very complex technology landscape. Empired can help you make sense of this, achieve your business objectives and meet your compliance obligations, by delivering the business outcomes you need. The place to start is a quick, high-level assessment to deteremine where you’re at, where you need to be, and how to get there.

If every cloud has a silver lining, surely it’s this: in addition to being a better investment than the cost of managing a data breach, the outcome of your investment will be the opportunity to build customer trust, to say to clients “we take this seriously and we’ve done something about it – you’re safe with us”. Who would you rather do business with?

Posted by: Doug Baxter, Solution Specialist | 02 July 2018

Tags: Privacy, Security, GDPR, NDB, Privacy legislation, Privacy and compliance


Blog archive

Stay up to date with all insights from the Empired blog