Data breach notification scheme no ‘armageddon’
- 23 February, 2018 12:47
Australia’s Notifiable Data Breaches (NDB) scheme is in effect and the next few months are set to test the validity of some “apocalyptic” predictions of late.
Are a wave of data breaches going to be made public when previously they would have been swept under the carpet or hidden from public scrutiny? My guess is that it won’t cause the stir that many are anticipating.
The Office of the Australian Information Commission (OAIC) is responsible for regulating the scheme and while it will provide greater visibility over the volume and impact of data breaches affecting customers in Australia, I don’t believe the goal is to name and shame – as much as there might be an appetite for it in some corners.
The scheme is simply a welcome exercise in good governance and provides greater motivation for Australian companies to manage breaches properly.
The truth is, data breaches are more of an inevitability than ever and what makes the news is a poorly managed one. This is especially the case in an environment where consumer trust in Australian business is declining and there are major concerns about privacy and the way companies treat our personal information.
In this context transparency is key and, in many cases, businesses are judged by the manner in which they respond to and communicate about breaches, rather than the nature of the breach itself.
The most notorious breaches in the last 12 months are a case in point, with one of the world’s leading ride sharing companies making headlines for all the wrong reasons.
Late last year Uber was forced to officially disclose a data breach that affected over 57 million users on its platform way back in 2016. What helped to make the story so sensational was the company’s alleged attempt to cover it up by paying off those responsible.
The breach was only made public when it was reported by the press, meaning millions of users found out their data had been compromised by reading it first in the news rather than hearing from the company direct. Not exactly a great way to build trust through transparency.
Delays in communicating a breach are common, particularly when the data of so many people is affected. The NDB should help to put an end to that by enforcing customer communication as well as reporting to the OAIC.
However, the result of accelerating the need to communicate adds additional pressure to the required speed and quality of response and recovery efforts. Those organisations that weather a data breach relatively unscathed are those that act quickly to understand the extent and impact on their customers.
They get the right people in the tent early, can immediately implement measures to contain the breach, remediate as required and communicate to those parties impacted.
This includes engagement early with the regulator. A poor and slow response to a data breach may not only cause a compliance breach risk with respect to the Privacy Act but opens the door to longer term risks of damage to brand reputation and financial loss.
For most companies, I suspect having a data breach plan and providing honest and timely communication to those affected will mean there isn’t much of a story. Especially given the volume of breaches nowadays. Some tech publications, in particular, have flagged “breach fatigue” among their readers with a new case reported every few days.
Rather than unveiling corporate malfeasance in customer data management, I am hopeful that the NDB will be a motivator for truth, providing a framework for organisations to manage breaches well and build a valuable skillset into their DNA.
The art of good breach management comes down to accountability, readiness and transparency. Businesses must be seen to be responsible cyber citizens, rightly held to account for a breach but in the same regard, applauded for proactive collaboration and contribution to the community that is helping to raise the cyber standard in Australia. This movement is well underway.
Australian businesses need to anticipate and be prepared to respond when, not if, a breach occurs and they need to be open in their communications with all stakeholders affected. It’s the age of transparency – customers will demand it, the OAIC will regulate it and the best businesses will deliver it.
Shane Bell is a partner, cyber and forensic technology at McGrathNicol Advisory.