Getting prepared for mandatory data breach reporting

There was once a time when cyber security was the domain of the IT team and its specialists.

Then in 2012, former FBI director, Robert S. Mueller, III, offered up the following quote, and no business leader who heard it ever slept quite as well again: “There are only two types of companies: Those that have been hacked, and those that will be hacked.”

Since that time cyber criminals have become more sophisticated, and broadened the range of targets they pursue. Cyber breaches against large organisations have become a weekly occurrence, often causing significant brand damage. With such inevitability, the most some organisations might hope for is that when they do happen, no one on the outside will find out.

But that hope will evaporate in February 2018, when large swathe of organisations will fall under the power of Australia’s new mandatory data breach notification laws.

Any federal government agency or commercial organisation with turnover greater than $3 million (and currently governed by the Privacy Act) will have to notify the Privacy Commissioner and affected customers as soon as practicable after becoming aware that a serious data breach of personal information has occurred. Failure to do so may result in fines that quickly climb beyond $1 million.

What actually constitutes a ‘serious’ breach is up for interpretation. It could include malicious theft or accidental loss, while personal information might include customer records and identifying details – exactly the type of data that marketers like to retain.

As to what constitutes a report-worthy breach, the legislation requires that a “reasonable person” would reach the conclusion that “serious harm” is likely to occur as a result of the breach.

According to Malcolm Crompton, former Australian privacy commissioner and now managing director at Information Integrity Solutions, every marketer should have an interest in the new law – especially as it is often marketers who are pushing for the retention and use of personal data.

“You do have an interest in this, because brand damage can cost you,” Crompton says. “And marketers may need to be more thoughtful in the actions they take in rapidly deploying new approaches to data use.”

Crompton rates the legislation as being as good as any that has been enacted elsewhere in the world, although definitions of words such as ‘real’, ‘risk’, ‘serious’ and ‘harm’ are yet to be determined by precedent. He says there are also numerous common sense provisions, such as suspending the need to notify customers if doing so would prejudice law enforcement activities.

“You have to notify the commissioner even if you think you shouldn’t have to notify the customer, because if you haven’t notified the commissioner when you should have, you’ll get a spanking,” Crompton says. “But you may be able to argue with the commissioner that notifying the customer is not necessary or not smart.”

A growing data problem

While the true scale of cyber breaches in Australia will only be known once the new law comes into force, it is commonly agreed that the problem is cyber breaches is growing worse.

In its recently-released 2017 Data Breach Digest, global communication company, Verizon, reported that “breaches are becoming more complex and are no longer confined to just the IT department, but are now affecting every department within an organisation. Each breach leaves a lingering, if not lasting imprint on an enterprise”.

Verizon Enterprise Solution’s regional managing principal for its Investigative Response group, Ashish Thapar, says interest in cyber security needs to start well outside the IT function.

“One of the very important things marketers should understand is that cyber risk responsibility drifts across all departments,” he says. “We do data breach investigations, and we are seeing the shifting of focus from servers and systems to users and people and partners and staff.”

And while the intent for many cyber criminals is to make money, the means through which they do so have broadened significantly. Thapar says customer data is very much a key target.

“We do ‘dark net’ research on the underground channels of the internet, and we see these kinds of things being sold in the market,” Thapar says. “And sometimes they put a bounty, asking for a company’s customer data by a certain date.”

This makes marketers a critical component of an organisation’s defensive posture.

“A main role of the marketing department is to enhance the company’s image and reputation and help promote the company’s product and services,” Thapar says. “Today they are having far more responsibility to prepare and actually manage the consequences of a data breach, because the reality is a lot of cost is with respect to customer loyalty, brand and reputation damage.”

Whereas previously marketers might have avoided that brand damage by simply not disclosing a breach (and hoping no one else did), with mandatory reporting organisations that experience a report-worthy breach will have nowhere to hide.

Getting on top of the new laws

According to Nick Abrahams, a partner and APAC technology practice leader at legal firm, Norton Rose Fulbright, it is hard to estimate the impact of the new laws, as there is simply no effective way to measure how many breaches are currently taking place – and hence the extent to which consumers are being kept in the dark about the vulnerability of their information.

“But come 22 February next year, the world changes dramatically, and a lot more breaches are going to have to be notified,” Abrahams says. “Once those things become public knowledge, then from a marketing point of view, you have a whole reputational issue to manage.”

Abraham’s first recommendation for any marketer is to develop a data breach notification plan, which sets out the actions that take place immediately once a breach is detected.This includes managing outbound communication, both to the regulator and to consumers, as a poor public response to a breach can be worse than the damage done during the breach itself.

Abrahams also cautions the trend to using third parties to manage and analyse data leaves organisations vulnerable. The Australian Red Cross Blood Service learned this the hard way when its website partner, Precedent, accidentally exposed 1.28 million records online.

As a result, he says Norton Rose Fulbright has developed a fixed-price privacy compliance package to help business leaders understand the risks and create a pathway to avoid breaching the new laws.

While awareness of the new legislation amongst many marketers remains low, some organisations took taken a proactive stance to the issue long before its enactment.

Chief information security officer at REA Group, Craig Templeton, says the CMO is key in both establishing and maintaining trust in the organisation’s brand and reputation.

“Having good cyber security helps to protect that trust,” he says. “It’s important CMOs have a good understanding of the organisation’s security approach so they can help co-develop a good cyber incident response plan.

“As a wholly digital company, we know people have high expectations that they are protected when they use our sites.It’s always been good business practice to understand cyber risk and how the organisation protects personal information.The new mandatory data breach laws shouldn’t change this for many Australian businesses and hasn’t changed our approach.”

The benefits

The new legislation has been of critical interest to ADMA and its offshoot organisation, Data Governance Australia (DGA), whose chairman, Graeme Samuel, last year called for a delay in the introduction of the legislation.

However, ADMA CEO Jodie Sangster says there are some benefits to the Government’s actions. “The government has been trying to bring in mandatory data reporting for a long time, so it is not a big surprise that it has come through,” she says.

“There are some benefits, in that everybody is on a level playing field, everybody is required to abide by the same rules, and it puts a standard in place.”

However, Sangster sees issues in the lack of definition around key words within the legislation.

“Three is no real clarity given as to when you are required to report a breach, and when you are not,” she says. “A lot of the assessment is left to companies, to assess themselves as to whether a serious breach has occurred and whether that is going to have a real risk of serious harm for the individual. Those terms are not defined, and that makes it quite difficult for a company to know if it is meant to report or not.

“Where there is a lack of clarity in law, and when you have got enormous fines attached to non-compliance - up to $1.8 million - businesses tend to err on the side of caution. And what we don’t want to see is over-reporting, because that doesn’t benefit the consumer. So we have got a job to do here to make sure this piece of law actually has the intended effect.”

Sangster says ADMA will continue running seminars and providing tools and resources to marketers to help them understand and prepare for the new laws.

“The real impact is on a company’s brand,” she says. “And for a marketer, that is the Holy Grail. That is why there needs to be visibility and some degree of involvement from a marketing department to make sure the brand remains strong.

“I do think over the course of the next six months, as this is talked about more and as we are doing more programs around it, the awareness will go up.”

Follow CMO on Twitter: @CMOAustralia, take part in the CMO conversation on LinkedIn: CMO ANZ, join us on Facebook: https://www.facebook.com/CMOAustralia, or check us out on Google+:google.com/+CmoAu