From today, the mandatory Notifiable Data Breaches (NDB) legislation, established as part of the Privacy Amendment (Notifiable Data Breaches) Act 2017, will be enforced for all APP Entities with personal information security obligations under the Australian Privacy Act 1988 (Cth). It couldn’t have happened soon enough for consumers and those fighting the ongoing battle against cybercrime. But while mandatory data breach transparency is fantastic news for the security industry, losing customer trust isn’t. We look at what you can do now and in the event of a data breach to help organisations protect their customer’s data and maintain customer trust.
What does the Notifiable Data Breaches legislation mean for organisations?
The legislation will impose a legal requirement for all eligible organisations, which include APP entities with an annual turnover of $3 million or more, to provide a notice (as soon as practicable) to individuals whose personal information has been, or is suspected to have been, involved in an eligible data breach that is likely to result in serious harm. They must also provide recommended steps to both remediate and mitigate future attacks. The Office of the Australian Information Commissioner (OAIC) must also be notified of each eligible breach.
The question on impacted organisations’ minds, however, is: Will this legislative change have a negative impact on customer trust and perception? The short answer is, it doesn’t have to. We’re all for collaborating and sharing information to help bolster cyber defences and combat cybercrime, and that includes working with our customers. It’s just about making sure everyone understands that.
RELATED CONTENT: Are you ready for the mandatory Notifiable Data Breaches legislation?
Here are nine tips to help organisations maintain customer trust both before and in the event of a data breach.
1. Understand what’s required of your organisation because of the NDB scheme
First and foremost, it’s vital to understand what’s legally required of your organisation now that the NDB scheme has taken effect. Organisations that are unsure of whether it is an APP Entity under the Privacy Act should seek professional advice.
If you are considered an eligible APP Entity, read up on the notification options recommended by the OAIC, as well as the required information inclusions for each notification option – you don’t want to end up being liable for sanctions, or cause panic because you failed to comply with the requirements.
You can find more information about the Notifiable Data Breach legislation on the OAIC website. You can also email enquiries@oaic.gov.au, or call 1300 363 992.
2. Be upfront about the NDB changes to your customers – before there’s a breach
By giving your customers a heads-up about the NDB legislative changes and thereby providing an understanding of what to expect should there be a breach, there won’t be any surprises if an eligible breach occurs that requires them and the OAIC to be notified.
RELATED CONTENT: What the breach?! 4 ways to protect yourself in a data breach
3. Remind your customers that we’re all in this together
Successful cyber breaches are now commonplace in news headlines. It’s a good idea to remind your customers just how common they are, without causing any undue panic. By highlighting the fact that attacks are becoming increasingly sophisticated and frequent, and the need for a joint defence between organisations, cyber security experts, governments and consumers, your customers will want to be part of the solution. Should a breach occur, your customers will already be more aware of actions they may need to take and can rely on you for transparent communication.
Remember – collaboration, transparency, awareness and knowledge-sharing are the keys to a safer cyber landscape.
4. Understand when a notification isn’t necessary
Not all data breaches require notifications to individuals or the OAIC. In particular, a data breach that satisfies the requirements of an eligible data breach won’t require notification if the APP Entity takes remedial action and a reasonable person would conclude that (as a result of the remedial action) the data breach is not likely to result in serious harm. This exemption highlights the importance of early detection and action and having an appropriate process in place to identify and respond to a potentially serious data breach.
RELATED CONTENT: Cyber hygiene: 4 easy tips to keep your data safe
5. Learn as much as you can about the data breach and share key information with your customer and the OAIC
The first questions your customer will ask if there’s an eligible data breach that could cause them serious harm are: ‘What exactly happened?’, ‘How did it happen?’ and ‘What’s been done about it?’. You want your initial response to these questions to be accurate to allay fears, without sounding waffly or defensive. Don’t pretend to know any information you don’t, in case you get contradicted down the track.
Once a suspected data breach is determined to have the potential to result in serious harm, and meets the requirements for notification, the key is to examine the root cause of the breach and the extent of the damage quickly or to engage someone who can. The organisation must then make steps towards remediation prior to contacting customers. The OAIC recommends including the following inclusions in notifications to impacted individuals and the OAIC:
- The contents of the statement to the OAIC.
- The identity and contact details of the organisation, business or agency with the eligible data breach.
- The kind (or kinds) of information involved in the breach.
- Recommendations around appropriate steps to remediate.
It’s up to the APP Entity to determine the appropriateness of their recommendations, depending on the circumstances surrounding the eligible data breach. This may include choosing to tailor recommended steps around an individual’s personal circumstances, or providing more general recommendations that apply to all individuals involved.
6. Use your usual communication channels for notifications
The OAIC recommends that APP Entities use their usual communications methods when notifying eligible customers or consumers of the breach. It doesn’t matter if it’s via phone, email, SMS, mail, social media or in person, as long as the method can reasonably impart the necessary information. To determine this, it’s worth considering the likelihood that the recipient of the notification will become aware of, and understand, the notification, as well as take the recommended remediation steps into consideration. Transparent communication is crucial to retain customer trust in the event of a data breach.
RELATED CONTENT: Cyber security awareness: Treat it like OHS
7. Provide steps for your customers to take and share the actions you’ve taken
If an eligible data breach occurs that requires notification, share with your customers the high-level remediation and future mitigation steps you’ve taken. You should also recommend steps the customer should take from their end and outline the rationale for taking them. This reinforces that fighting cyber crime is a collaborative effort. When everyone is clear about their responsibilities, your customers will be more confident that adequate action has been taken.
8. Let customers know what you’ve done to avoid similar breaches in the future
Organisations should detail key control measures they’ve put in place to avoid similar future attacks and mention any thwarted attack attempts that have resulted from similar actions. It’s also worth mentioning any knowledge-sharing that’s taken place from an industry perspective. This demonstrates continued improvement and a willingness to collaborate to get increasingly effective and rapid results, subsequently leading to better future mitigation and greater customer trust.
RELATED CONTENT: 8 cloud security tips to keep your data safe in the cloud
9. Get outside help if you need it
The Notifiable Data Breach scheme demonstrates that having a mature Incident Response approach is no longer a ‘nice to have’, but rather a necessity for all organisations, agencies and businesses. It’s time for everyone to start assessing their current cyber security response capability and uplifting their data breach response plans.
The problem is, not all organisations have the in-house cyber security capability to quickly and effectively identify eligible data breaches and remediate them. That’s okay – not all organisations are expected to. Take advantage of specialist cyber security consultants and the services they offer, whether it’s once-off advice or ongoing support. This will help minimise the number of eligible data breaches that occur within your environment in the first place, which goes a long way in maintaining customer trust.
Final thoughts
Being prepared not only helps you win the battle against cyber criminals but also helps you maintain customer trust. This is where Kinetic IT’s PROTECT+ cyber security team can help. We determine your preparedness for handling an eligible data breach, and ensure you have the right processes in place to respond should the worst happen.
Get in touch with the PROTECT+ team to find out more about tailored security solutions and advice for your organisation.
