In February 2019, it was announced by one of Australia’s largest property valuation firms, LandMark White (“LMW”), had suffered a data breach compromising over 100,000 documents, including valuations and clients’ personal information.
Although a frightening prospect for businesses is the increasing risk of data breaches, it is important to learn from LMW’s mistakes and take note of where this all went wrong. It would appear the breach was the result of two IT consultants accessing data without prior authorisation. More concerning is the afterthought that the consultants had in exposing the more than 170,000 records to the dark web. Both consultants have since been charged with indictable offences, including fraud.
The breach was physical in nature, with the consultants having alleged to sever a fibre optic cable, therefore, enabling a 10 day period in which LMW’s data was vulnerable. LMW has since suggested the financial loss suffered as a result of the breach is in the region of $50 Million, being market capital and revenue loss combined.
One of LMW’s largest mistakes was that majority of its data was located on a singular platform used for external staff access. Upon the breaches becoming apparent, the platform was suspended, leaving clients, stakeholders and employees with no access to critical documents for the continuation of business transactions.
Businesses should be keen to ‘scenario plan’ in which multiple access points are prepared in the event of a breach. Within the creation of these access points, one may also consider the possibility of diversifying the holding of data to avoid the possibility of one breach allowing access to all sensitive data.
Since the publication of the breach, suggestions have been made that several employees of LMW were aware of the system’s vulnerabilities months prior. Without further information, it is difficult to postulate whether LMW followed up these warning signs or not. However, senior management should seriously consider reviewing their internal governance/reporting policies and processes. Taking an ‘all for one and one for all’ approach on reported vulnerabilities could save companies millions in the long run. A general policy that all employees are to report potential breaches coupled with a clear investigation protocol is in a businesses’ best interests.
Furthermore, it may not be the case that businesses have poor governance or reporting produces, but rather the culture around such reporting is lacking. Potentially businesses may consider making clear to employees there are significant positives in reporting potential data vulnerabilities, no matter how small. LMW is said to have had 140 employees terminated or made redundant in the wake of its internal breaches – something all businesses should educate employees about and the risks associated with failures to report.
Ultimately, LMW gives us an opportunity to take an internal view on processes and policies surrounding the retention of data and how to minimise financial risks should a data breach occur. The potential for significant data transactions is no longer a thing of the past and is fast becoming an element of sophisticated clients’ choices in business providers.
Got you thinking?
Considering updating your internal policies or have some specific questions concerning reporting obligations for data breaches, Rouse Lawyers is here for you. We have an experienced commercial team that can assist with drafting or specific legal advice. Call us today and get a dedicated legal team behind your business.