The number of self-reported data breaches received by the Office of the Australian Commissioner (OAIC) for the entire 2016-17 financial year was 114.1 In the six week period following the 22nd of February there have already been 63.[1] Why the sharp spike?
February 22nd happens to be the date when the OAIC enforced the Notifiable Data Breaches (NDB) scheme. The scheme establishes obligatory requirements for agencies and organisations when a data breach is likely to result in serious harm to any individuals whose personal information is involved in such an event.
The first OAIC quarterly report also revealed the majority of the reported data breaches were caused by human error.[1]
Health service providers reported the largest number of breaches (15), leading legal, accounting and management services. Finance, education, and not-for-profit sectors were not far behind.[1]
The obligation to report recognises that meeting privacy standards and the expectations of your stakeholders is key to maintaining trust and respect for on-going uses of data. However, companies managing reputation risk need to go beyond merely ticking the legal box and reporting outcomes to the government in order to fulfil their ethical responsibilities.
The NDB scheme formalises what people already expect from organisations as a customer or a member of the public, but transparency and accountability are still non-negotiable in today’s world of expansive and unpredictable data usage.
The scheme requires organisations who have suffered an eligible data breach to notify “individuals at likely risk of serious harm” after they have become aware of “reasonable grounds to believe an eligible data breach has occurred”.
According to the OAIC, an eligible data breach arises when the following three criteria are satisfied:
(1) There is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds,
(2) this is likely to result in serious harm to one or more individuals, and
(3) the entity has not been able to prevent the likely risk of serious harm with remedial action.[2]
Depending on the incident most organisations will possibly require notification to affected individuals, insurers, corporate regulators, law enforcement agencies and other identified stakeholders. The handling of these communications is highly sensitive and requires experienced consideration from a qualified response team familiar with crisis communication.
While this seems like a considerable effort for many organisations, and even drastic to some, these protocols will become essential since they will enable what will soon be perceived as the absolute minimum level of transparency required. As a consequence, organisations will need to be seen as more proactive and culturally aligned with these standards in order to be transparent. It will no longer be a matter of having IT get on top of it and then sweeping it under the rug!
A December 2017 survey from CyberArk’s Global Advanced Threat Landscape Report 2018 revealed that nearly half of Australian business leaders (47%) have no idea what to do when their organisation suffers a cybersecurity incident, including a data breach (this included one third of IT security professionals).[3]
The survey also revealed the failure of industries to properly notify customers after a cyber-attack when their personal information was compromised. Australian organisations have work to do upgrading their IT and communications if they are to stay true to their commitment to best practices.
Further, one of the key findings from the SenateSHJ Reputation Reality 2017 report (surveying 146 business and public sector leaders) showed only one in four Australian respondents have high confidence in their ability to successfully manage their crisis communication plan in the event of a crisis.[4]
The reputational risk environment around data is constantly shifting – just look at the recent Facebook Cambridge Analytica crisis.
If organisations have high degrees of exposure and vulnerability then, by association, their reputations are also at risk.
Their corporate and, potentially, their personal reputations will suffer if they cannot communicate adequately around a cybersecurity incident because of a lack of effective crisis communications planning and preparation.
Organisations cannot stop every IT incident but when half of Australian businesses admit they are unprepared for data breaches, it is only a matter of time before the lack of consideration takes centre spotlight.
When it comes to prioritising crisis and issues planning around data breaches and responding effectively to cybersecurity events, organisations can ‘upgrade’ their proactive risk management practices but first they have to ‘de-bug’ their current approach.
Start by asking: Do you have a crisis communications plan? Have you tested it? Who is part of the response team? Do they know what their roles are when a crisis hits? What resources do you have to make sure your organisation doesn’t go into ‘power-saver mode’?
Like a software bug which forces the program to evolve and become something new, organisations also need to adopt rigorous crisis and issues planning in order to be prepared for the new and unpredictable landscape of data and privacy.
Is your company stuck with outdated and obsolete crisis management practices or have you installed crisis planning 3.0 - the newer version which upgrades your ability to deal with the world of notifiable data breaches?
[1] OAIC (11 April 2018) Notifiable Data Breaches first Quarterly report released
[2] OAIC (December 2017) Identifying eligible data breaches
[3] CyberArk (December 2018) CyberArk Global Advanced Threat Landscape Report 2018
[4] SenateSHJ (July 2017) Reputation Reality: Trans-Tasman perspectives on reputation and risk