If a tree falls in the woods and there’s no one around to hear it, does it make a sound? For many Australian businesses, this philosophical thought experiment has guided their responses to data breach disclosure: if a breach occurs and no one is notified, did it ever happen?
Well, for organisations with an annual turnover more than $3 million, falling trees will start making sounds that can’t be ignored when Australia’s Mandatory Breach Disclosure laws come into effect on February 22.
At a high level, organisations earning above the $3 million threshold must notify the Office of the Australian Information Commissioner (OAIC) and all affected individuals of a data breach as soon as practicable. While there are some exemptions, this law will largely put an end to the ‘stay silent and pray’ strategy some organisations have opted to implement in the past.
While disclosures to the OAIC will take the shape of formal correspondence, notifying customers and managing the subsequent fallout is a gauntlet best run with preparation and a clear strategy in mind.
Get this piece wrong, and the business ramifications could be far worse than the potential $1.8 million civil penalty from the OAIC for failing to comply.
So how should an organisation approach notifying customers whose personal details have been compromised in a data breach? Below are seven factors organisations must keep in mind during disclosures:
Knowledge: Before you can disclose accurate information about a data breach, you need accurate information about what caused the breach, how it happened and how it impacts those customers. Before contacting affected individuals, be clear about what you know and what you don’t know.
Restraint: Once you have a clear understanding of the breach and its impacts, it is important to communicate only those details to your customers. Avoid falling into the trap of issuing spin-heavy statements to appear informed and in control of the situation. This will end badly.
Accuracy: Following the initial disclosure, data breaches are of most interest to technically literate people, so ensuring technical accuracy is critical. A technically savvy person will analyse any statements to get a complete picture of the breach, so saying lost passwords were encrypted when they were actually hashed will raise more questions than it answers.
Clarity: It is important to clearly state who is affected by the data breach and who is not. Simply stating “You have been contacted if your data was compromised” helps avoid any confusion (assuming that statement is true).
Timeliness: Deciding when to notify customers after a data breach is one of the most significant decisions an organisation can make. The challenge is not communicating too soon (without enough information) or waiting too long (falling foul of the Notifiable Data Breaches Act and risking someone else disclosing the breach). If analysing and gathering information about a breach is expected to be protracted, some form of interim notification should be sent, then followed by updates as and when information becomes available.
Empathy: Ultimately, your customers determine the value of the data that is compromised. Even if your organisation considers the data to be of ‘low risk’, your customers may feel otherwise. Therefore, it is critical to respect how your customers value their data and avoid downplaying the severity of the breach.
Genuineness: Being genuinely apologetic and wanting to help your customers through the data breach and mitigate any damage is essential if you are to regain your customers’ trust. Find out what steps customers can take (e.g. credit checks) if they’re concerned and advise them on how to access these services.
While the pending breach disclosure laws can see organisations face civil penalties in excess of a million dollars for failing to adequately notify customers of data breaches, this pales in comparison to the cost of losing customer trust.
Above all else, having a plan in place is critical to ensuring an appropriate response – template statements, clear chains of command, and defined processes will help bring order during the chaos that ensues after a breach is discovered.
After all, instead to hoping a falling tree makes no sound, you should be yelling “timber” to warn others of its fall.