Australia has a new Notifiable Data Breaches (NDB) regimen, one of the tightest in the world. Failure to comply with the new law could result in hefty fines.
As of yesterday businesses and government agencies have to notify possibly impacted individuals and the Privacy Commissioner if lost or stolen data “is likely to result in serious harm to any individuals whose personal information is involved in the breach”.
Where previously there was no obligation to report breaches, regulators must now be notified “as soon as practicable”.
Although these laws have been in the making and publically debated for ten years, research shows that most Australian businesses believe they are not prepared for the new regime (HP Australia IT Security Study, February 2018).
Technological development continues to accelerate, making our world more digital and data driven. The value of data has increased exponentially, and as a consequence the appetite for that data among cyber criminals has also increased.
The number of reported breaches rises every year in Australia and will likely continue to do so under the new legislation. A recent report by Breach Level Index, has found that Australia suffers the most data breaches in the Asia-Pacific region.
The best way to mitigate the impact of a data breach is, as with most threats, preparation. This involves highlighting the importance and value of data and how it is managed across the whole business. Staff needs to be trained to properly handle and secure data. Businesses need to adapt to a more data privacy conscious working environment.
Organisations need to have contingency plans in the eventuality of a data breach. These new laws have only reinforced that need. Data breach risk management is no different to general risk management or crisis management. The processes are the same, albeit overlayed with the specifics of a data breach.
Companies will need to go beyond the operational aspects of the crisis and consider the communications as well. Questions companies need to ask themselves in preparing for a data breach crisis include:
• Is there a crisis management committee?
• Who/where in the company should data breaches be reported?
• Do all employees know who to report a breach to?
• Who holds the relationship with the Office of the Australian Information Commissioner?
• Are there other government agencies that may need to be informed of a data breach (or cyber-attack)?
• Do you have a matrix of stakeholders that need to be notified of a breach, when they need to be notified and who will be responsible for notifying different stakeholders?
• Do you have a media plan, holding statements and a designated spokesperson?
Transparency in the event of a data breach has proven time and time again to be highly regarded by the public. To be seen to be communicating during a data breach crisis can help boost confidence in the company by demonstrating that it is doing everything in its power to protect private data. How quickly it communicates and what it says during a crisis will determine how a company is perceived during and after the crisis. Protecting your reputation will depend on how much preparation has been undertaken prior to a data breach occurring.
By Francisco Lacerda, Account Manager
Francisco has worked on a number of crisis manuals for clients, including for cyberattack and data breaches.