Getting prepared for mandatory data breach reporting

We take a look at the impending mandatory data breach laws and what you need to do to meet them

There was once a time when cyber security was the domain of the IT team and its specialists.

Then in 2012, former FBI director, Robert S. Mueller, III, offered up the following quote, and no business leader who heard it ever slept quite as well again: “There are only two types of companies: Those that have been hacked, and those that will be hacked.”

Since that time cyber criminals have become more sophisticated, and broadened the range of targets they pursue. Cyber breaches against large organisations have become a weekly occurrence, often causing significant brand damage. With such inevitability, the most some organisations might hope for is that when they do happen, no one on the outside will find out.

But that hope will evaporate in February 2018, when large swathe of organisations will fall under the power of Australia’s new mandatory data breach notification laws.

Any federal government agency or commercial organisation with turnover greater than $3 million (and currently governed by the Privacy Act) will have to notify the Privacy Commissioner and affected customers as soon as practicable after becoming aware that a serious data breach of personal information has occurred. Failure to do so may result in fines that quickly climb beyond $1 million.

What actually constitutes a ‘serious’ breach is up for interpretation. It could include malicious theft or accidental loss, while personal information might include customer records and identifying details – exactly the type of data that marketers like to retain.

As to what constitutes a report-worthy breach, the legislation requires that a “reasonable person” would reach the conclusion that “serious harm” is likely to occur as a result of the breach.

According to Malcolm Crompton, former Australian privacy commissioner and now managing director at Information Integrity Solutions, every marketer should have an interest in the new law – especially as it is often marketers who are pushing for the retention and use of personal data.

“You do have an interest in this, because brand damage can cost you,” Crompton says. “And marketers may need to be more thoughtful in the actions they take in rapidly deploying new approaches to data use.”

Crompton rates the legislation as being as good as any that has been enacted elsewhere in the world, although definitions of words such as ‘real’, ‘risk’, ‘serious’ and ‘harm’ are yet to be determined by precedent. He says there are also numerous common sense provisions, such as suspending the need to notify customers if doing so would prejudice law enforcement activities.

“You have to notify the commissioner even if you think you shouldn’t have to notify the customer, because if you haven’t notified the commissioner when you should have, you’ll get a spanking,” Crompton says. “But you may be able to argue with the commissioner that notifying the customer is not necessary or not smart.”

A growing data problem

While the true scale of cyber breaches in Australia will only be known once the new law comes into force, it is commonly agreed that the problem is cyber breaches is growing worse.

In its recently-released 2017 Data Breach Digest, global communication company, Verizon, reported that “breaches are becoming more complex and are no longer confined to just the IT department, but are now affecting every department within an organisation. Each breach leaves a lingering, if not lasting imprint on an enterprise”.

Verizon Enterprise Solution’s regional managing principal for its Investigative Response group, Ashish Thapar, says interest in cyber security needs to start well outside the IT function.

“One of the very important things marketers should understand is that cyber risk responsibility drifts across all departments,” he says. “We do data breach investigations, and we are seeing the shifting of focus from servers and systems to users and people and partners and staff.”

And while the intent for many cyber criminals is to make money, the means through which they do so have broadened significantly. Thapar says customer data is very much a key target.

“We do ‘dark net’ research on the underground channels of the internet, and we see these kinds of things being sold in the market,” Thapar says. “And sometimes they put a bounty, asking for a company’s customer data by a certain date.”

This makes marketers a critical component of an organisation’s defensive posture.

“A main role of the marketing department is to enhance the company’s image and reputation and help promote the company’s product and services,” Thapar says. “Today they are having far more responsibility to prepare and actually manage the consequences of a data breach, because the reality is a lot of cost is with respect to customer loyalty, brand and reputation damage.”

Whereas previously marketers might have avoided that brand damage by simply not disclosing a breach (and hoping no one else did), with mandatory reporting organisations that experience a report-worthy breach will have nowhere to hide.

Getting on top of the new laws

According to Nick Abrahams, a partner and APAC technology practice leader at legal firm, Norton Rose Fulbright, it is hard to estimate the impact of the new laws, as there is simply no effective way to measure how many breaches are currently taking place – and hence the extent to which consumers are being kept in the dark about the vulnerability of their information.

“But come 22 February next year, the world changes dramatically, and a lot more breaches are going to have to be notified,” Abrahams says. “Once those things become public knowledge, then from a marketing point of view, you have a whole reputational issue to manage.”

Abraham’s first recommendation for any marketer is to develop a data breach notification plan, which sets out the actions that take place immediately once a breach is detected.This includes managing outbound communication, both to the regulator and to consumers, as a poor public response to a breach can be worse than the damage done during the breach itself.

Abrahams also cautions the trend to using third parties to manage and analyse data leaves organisations vulnerable. The Australian Red Cross Blood Service learned this the hard way when its website partner, Precedent, accidentally exposed 1.28 million records online.

As a result, he says Norton Rose Fulbright has developed a fixed-price privacy compliance package to help business leaders understand the risks and create a pathway to avoid breaching the new laws.

While awareness of the new legislation amongst many marketers remains low, some organisations took taken a proactive stance to the issue long before its enactment.

Chief information security officer at REA Group, Craig Templeton, says the CMO is key in both establishing and maintaining trust in the organisation’s brand and reputation.

“Having good cyber security helps to protect that trust,” he says. “It’s important CMOs have a good understanding of the organisation’s security approach so they can help co-develop a good cyber incident response plan.

“As a wholly digital company, we know people have high expectations that they are protected when they use our sites.It’s always been good business practice to understand cyber risk and how the organisation protects personal information.The new mandatory data breach laws shouldn’t change this for many Australian businesses and hasn’t changed our approach.”

The benefits

The new legislation has been of critical interest to ADMA and its offshoot organisation, Data Governance Australia (DGA), whose chairman, Graeme Samuel, last year called for a delay in the introduction of the legislation.

However, ADMA CEO Jodie Sangster says there are some benefits to the Government’s actions. “The government has been trying to bring in mandatory data reporting for a long time, so it is not a big surprise that it has come through,” she says.

“There are some benefits, in that everybody is on a level playing field, everybody is required to abide by the same rules, and it puts a standard in place.”

However, Sangster sees issues in the lack of definition around key words within the legislation.

“Three is no real clarity given as to when you are required to report a breach, and when you are not,” she says. “A lot of the assessment is left to companies, to assess themselves as to whether a serious breach has occurred and whether that is going to have a real risk of serious harm for the individual. Those terms are not defined, and that makes it quite difficult for a company to know if it is meant to report or not.

“Where there is a lack of clarity in law, and when you have got enormous fines attached to non-compliance - up to $1.8 million - businesses tend to err on the side of caution. And what we don’t want to see is over-reporting, because that doesn’t benefit the consumer. So we have got a job to do here to make sure this piece of law actually has the intended effect.”

Sangster says ADMA will continue running seminars and providing tools and resources to marketers to help them understand and prepare for the new laws.

“The real impact is on a company’s brand,” she says. “And for a marketer, that is the Holy Grail. That is why there needs to be visibility and some degree of involvement from a marketing department to make sure the brand remains strong.

“I do think over the course of the next six months, as this is talked about more and as we are doing more programs around it, the awareness will go up.”

Follow CMO on Twitter: @CMOAustralia, take part in the CMO conversation on LinkedIn: CMO ANZ, join us on Facebook:, or check us out on

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments

Latest Videos

More Videos

Algorithms that can make sense of unstructured data is the future. It's great to see experts in the field getting together to discuss AI.

Sumit Takim

In pictures: Harnessing AI for customer engagement - CMO roundtable Melbourne

Read more

Real digital transformation requires reshaping the way the business create value for customers. Achieving this requires that organization...

ravi H

10 lessons Telstra has learnt through its T22 transformation

Read more


Lillian Juliet

How Winedirect has lifted customer recency, frequency and value with a digital overhaul

Read more

Having an effective Point of Sale system implemented in your retail store can streamline the transactions and data management activities....

Sheetal Kamble

​Jurlique’s move to mobile POS set to enhance customer experience

Read more

I too am regularly surprised at how little care a large swathe of consumers take over the sharing and use of their personal data. As a m...

Catherine Stenson

Have customers really changed? - Marketing edge - CMO Australia

Read more

Blog Posts

Brand storytelling lessons from Singapore’s iconic Fullerton hotel

In early 2020, I had the pleasure of staying at the newly opened Fullerton Hotel in Sydney. It was on this trip I first became aware of the Fullerton’s commitment to brand storytelling.

Gabrielle Dolan

Business storytelling leader

You’re doing it wrong: Emotion doesn’t mean emotional

If you’ve been around advertising long enough, you’ve probably seen (or written) a slide which says: “They won’t remember what you say, they’ll remember how you made them feel.” But it’s wrong. Our understanding of how emotion is used in advertising has been ill informed and poorly applied.

Zac Martin

Senior planner, Ogilvy Melbourne

Why does brand execution often kill creativity?

The launch of a new brand, or indeed a rebrand, is a transformation to be greeted with fanfare. So why is it that once the brand has launched, the brand execution phase can also be the moment at which you kill its creativity?

Rich Curtis

CEO, FutureBrand A/NZ

Sign in