The Optus data breach is top of mind for a lot of Australians, particularly those who have had their data breached.
For business, the breach is a timely warning on the importance of understanding what data is held on your customers, how it is secured, how your systems work and the process to identify gaps and deficiencies, the appropriate actions if and when a breach occurs, and the impact on your relationship to your customer.
Note: This is not something that can be outsourced to IT but a whole of business issue.
The obligations on business
We all know that no system is 100% secure. For Optus, this is not the first time. In 2015, Optus agreed to an enforceable undertaking for breaching the Privacy Act in 2015.
A data breach happens when personal information is accessed or disclosed without authorisation or is lost. If the Privacy Act 1988 covers your business, you must notify affected individuals and the Office of the Australian Information Commissioner when a data breach involving personal information is likely to result in serious harm. The notification must be as soon as practicable but is expected to be no later than 30 days. Every day counts.
A business must take all reasonable steps to comply with its obligations to prevent data breaches occurring. These obligations are not limited to preventing cyber attacks.
Malicious or criminal attacks represent 55% of all reported data breaches. But, human error is responsible for 41% and 4% through system faults. Where human error was involved, 43% was where personal information was emailed to the wrong recipient and 21% the unintended release or publication of personal information.
How to apologise in a data breach
Your relationship with your client is about trust. Beyond the breach notification requirements, the other issue is the client relationship.
So, how should a business apologise?
The bottom line? The apology must come at a cost to be effective. That cost can be reputational, a commitment to do better in the future, or a monetary cost.
The paper states:
- First, apologies are not a panacea – the efficacy of an apology and whether it may backfire depend on how the apology is made.
- Second, across treatments, money speaks louder than words – the best form of apology is to include a coupon for a future trip.
- Third, in some cases sending an apology is worse than sending nothing at all, particularly for repeated apologies and apologies that promise to do better.
Helping to protect against data breaches
- Understand your Privacy Act obligations. Specific industries and businesses that hold specific types of data often have advanced requirements.
- Review the personal information held on customers. Is their full date of birth a necessary part of what your business does? If you need to verify identify, do those identification documents really need to be stored once they have been validated? Or is positive confirmation enough? Is the data held securely and is access limited to only those who require access?
- Ensuring systems have multi-factor authentication.
- Improving staff awareness of not only cyber threats and how to prevent them – phishing, fraudulent messages etc, but reviewing how personal data is managed and accessed.
- Understanding your systems and how they work together to prevent security gaps or ‘backdoor’ systems access.
Read the blogs below for more about your personal data and who has access to it, and how to stay cyber safe at home.
To find out how we keep your data safe at Aintree Group, click here.