23 February 2018

Data Breach Reporting

Written by: Brian Shrowder and Jo Osorio, Senior Counsel, Crisis & Risk, and Director, Reputation at Edelman

Crisis Communications, Cyber crime, Data security

The introduction of mandatory data breach reporting laws has ushered in a new era of accountability for Australian companies. It’s a regime that many organisations are not yet prepared for.

It’s not just big business that will be impacted by these laws. Any business with an annual turnover of more than $3 million is now required to notify individuals and the Office of the Australian Information Commissioner when there is a data breach that is likely to result in serious harm to those individuals. This includes small and mid-market businesses, who often do business with larger enterprises and governments

A data breach is not limited to a cyber attack: examples also include the loss or a laptop or flash-drive containing customers’ personal information, or emailing personal information to the wrong address.

Data breaches have become an all too common threat to Australian businesses. Yet, until now, they have often gone unreported and unnoticed by those who may be impacted by a breach.

The Notifiable Data Breaches scheme changes all that. Companies who have suffered a cyber attack or any other type of data breach can no longer avoid customer and public scrutiny. In a world where we continue to distrust our major institutions such as business and government, it is critical that organisations consider and develop a response plan which places communications, speed and transparency front and centre.

Of all the risks associated with managing a data breach, the potential to hit brand and reputation and loss of customer or shareholder trust may well be the most damaging.

Effectively managing a security incident requires careful planning and strong partnerships between communications, forensic IT and legal counsel.


Before a Data Breach

Here are some important planning steps to take before a data breach hits:

  • Appoint a communications lead to be part of the core incident response team, ensuring that communications and reputation management are properly represented from the outset of the decision-making process. Identify in advance who will speak on behalf the organisation in the event of a data breach.
  • Develop a communications component of existing incident response plans, including clear ownership and approvals processes. Many companies have technical incident response plans for investigating and remediating an issue, yet often lack a communications process for deciding what information to disclose to whom and when.
  • Map the stakeholders who may need to receive communications in the event of a data breach, including customers, employees, the OAIC and other regulators, media, partners and vendors. Understanding your disclosure obligations ahead of an incident can save valuable time during a live response.
  • Develop draft media holding statements and other materials for the major types of incidents that are of most concern to your company. These statements may be used with media and other stakeholders during the early stages of an investigation when many of the details are still unclear.
  • Consider the communications implications for each type of incident to help guide decision-making. For example, if and under what circumstances would your organisation pay to remove ransomware and how would you position this decision to stakeholders.
  • Host a tabletop exercise with members of the entire incident response team to test how they would react to the media, customer and regulator attention in a data breach. Invite legal counsel to the tabletop and focus on the non-technical aspects of an incident response.


During a Data Breach

Managing communications in a data breach presents unique challenges compared to other kinds of crises.

What a company knows about the scope of information lost, how long hackers have been in the system, and what remediation steps were successful in keeping them out, can change drastically over the weeks of a forensic investigation. As a result, there are real risks of communicating inaccurate information.

While the facts of each incident will differ, there are several principles to keep in mind:

  • Focus on actions not outcomes. Early in an incident response, keep communications focused on the actions your company is taking to investigate and remediate the situation. Avoiding disclosing numbers or other details of the scope until there is forensic certainty around these facts.
  • Keep customers as your north star. In all messages, ensure you are addressing customers’ concern or needs. Providing actionable guidance is likely to be far more helpful to customers than dwelling in too much detail about how the data breach happened or who was behind it.
  • Ensure that any customer-facing employees are briefed about the data breach and are equipped with appropriate talking points or complaint escalation processes, should they get questions.
  • Leverage your owned properties, for example, your website or Facebook page, to create a single online destination for accurate and updated information about an incident response.


After a Data Breach

  • Consider what steps will be needed after a data breach incident is concluded to regain or earn the trust of those whose information was compromised. In some instances, a long-term reputation recovery strategy may be necessary.

This is by no means a complete list of actions and considerations. Every company has its own challenges and special circumstances to factor in. For those businesses which have not yet prepared a data breach communications plan, the time to begin starts now.

Please update your browser.

This website requires Chrome, Firefox, Safari or Internet Explorer 9+