Getting prepared for mandatory data breach reporting

We take a look at the impending mandatory data breach laws and what you need to do to meet them

There was once a time when cyber security was the domain of the IT team and its specialists.

Then in 2012, former FBI director, Robert S. Mueller, III, offered up the following quote, and no business leader who heard it ever slept quite as well again: “There are only two types of companies: Those that have been hacked, and those that will be hacked.”

Since that time cyber criminals have become more sophisticated, and broadened the range of targets they pursue. Cyber breaches against large organisations have become a weekly occurrence, often causing significant brand damage. With such inevitability, the most some organisations might hope for is that when they do happen, no one on the outside will find out.

But that hope will evaporate in February 2018, when large swathe of organisations will fall under the power of Australia’s new mandatory data breach notification laws.

Any federal government agency or commercial organisation with turnover greater than $3 million (and currently governed by the Privacy Act) will have to notify the Privacy Commissioner and affected customers as soon as practicable after becoming aware that a serious data breach of personal information has occurred. Failure to do so may result in fines that quickly climb beyond $1 million.

What actually constitutes a ‘serious’ breach is up for interpretation. It could include malicious theft or accidental loss, while personal information might include customer records and identifying details – exactly the type of data that marketers like to retain.

As to what constitutes a report-worthy breach, the legislation requires that a “reasonable person” would reach the conclusion that “serious harm” is likely to occur as a result of the breach.

According to Malcolm Crompton, former Australian privacy commissioner and now managing director at Information Integrity Solutions, every marketer should have an interest in the new law – especially as it is often marketers who are pushing for the retention and use of personal data.

“You do have an interest in this, because brand damage can cost you,” Crompton says. “And marketers may need to be more thoughtful in the actions they take in rapidly deploying new approaches to data use.”

Crompton rates the legislation as being as good as any that has been enacted elsewhere in the world, although definitions of words such as ‘real’, ‘risk’, ‘serious’ and ‘harm’ are yet to be determined by precedent. He says there are also numerous common sense provisions, such as suspending the need to notify customers if doing so would prejudice law enforcement activities.

“You have to notify the commissioner even if you think you shouldn’t have to notify the customer, because if you haven’t notified the commissioner when you should have, you’ll get a spanking,” Crompton says. “But you may be able to argue with the commissioner that notifying the customer is not necessary or not smart.”

A growing data problem

While the true scale of cyber breaches in Australia will only be known once the new law comes into force, it is commonly agreed that the problem is cyber breaches is growing worse.

In its recently-released 2017 Data Breach Digest, global communication company, Verizon, reported that “breaches are becoming more complex and are no longer confined to just the IT department, but are now affecting every department within an organisation. Each breach leaves a lingering, if not lasting imprint on an enterprise”.

Verizon Enterprise Solution’s regional managing principal for its Investigative Response group, Ashish Thapar, says interest in cyber security needs to start well outside the IT function.

“One of the very important things marketers should understand is that cyber risk responsibility drifts across all departments,” he says. “We do data breach investigations, and we are seeing the shifting of focus from servers and systems to users and people and partners and staff.”

And while the intent for many cyber criminals is to make money, the means through which they do so have broadened significantly. Thapar says customer data is very much a key target.

“We do ‘dark net’ research on the underground channels of the internet, and we see these kinds of things being sold in the market,” Thapar says. “And sometimes they put a bounty, asking for a company’s customer data by a certain date.”

This makes marketers a critical component of an organisation’s defensive posture.

“A main role of the marketing department is to enhance the company’s image and reputation and help promote the company’s product and services,” Thapar says. “Today they are having far more responsibility to prepare and actually manage the consequences of a data breach, because the reality is a lot of cost is with respect to customer loyalty, brand and reputation damage.”

Whereas previously marketers might have avoided that brand damage by simply not disclosing a breach (and hoping no one else did), with mandatory reporting organisations that experience a report-worthy breach will have nowhere to hide.

Getting on top of the new laws

According to Nick Abrahams, a partner and APAC technology practice leader at legal firm, Norton Rose Fulbright, it is hard to estimate the impact of the new laws, as there is simply no effective way to measure how many breaches are currently taking place – and hence the extent to which consumers are being kept in the dark about the vulnerability of their information.

“But come 22 February next year, the world changes dramatically, and a lot more breaches are going to have to be notified,” Abrahams says. “Once those things become public knowledge, then from a marketing point of view, you have a whole reputational issue to manage.”

Abraham’s first recommendation for any marketer is to develop a data breach notification plan, which sets out the actions that take place immediately once a breach is detected.This includes managing outbound communication, both to the regulator and to consumers, as a poor public response to a breach can be worse than the damage done during the breach itself.

Abrahams also cautions the trend to using third parties to manage and analyse data leaves organisations vulnerable. The Australian Red Cross Blood Service learned this the hard way when its website partner, Precedent, accidentally exposed 1.28 million records online.

As a result, he says Norton Rose Fulbright has developed a fixed-price privacy compliance package to help business leaders understand the risks and create a pathway to avoid breaching the new laws.

While awareness of the new legislation amongst many marketers remains low, some organisations took taken a proactive stance to the issue long before its enactment.

Chief information security officer at REA Group, Craig Templeton, says the CMO is key in both establishing and maintaining trust in the organisation’s brand and reputation.

“Having good cyber security helps to protect that trust,” he says. “It’s important CMOs have a good understanding of the organisation’s security approach so they can help co-develop a good cyber incident response plan.

“As a wholly digital company, we know people have high expectations that they are protected when they use our sites.It’s always been good business practice to understand cyber risk and how the organisation protects personal information.The new mandatory data breach laws shouldn’t change this for many Australian businesses and hasn’t changed our approach.”

The benefits

The new legislation has been of critical interest to ADMA and its offshoot organisation, Data Governance Australia (DGA), whose chairman, Graeme Samuel, last year called for a delay in the introduction of the legislation.

However, ADMA CEO Jodie Sangster says there are some benefits to the Government’s actions. “The government has been trying to bring in mandatory data reporting for a long time, so it is not a big surprise that it has come through,” she says.

“There are some benefits, in that everybody is on a level playing field, everybody is required to abide by the same rules, and it puts a standard in place.”

However, Sangster sees issues in the lack of definition around key words within the legislation.

“Three is no real clarity given as to when you are required to report a breach, and when you are not,” she says. “A lot of the assessment is left to companies, to assess themselves as to whether a serious breach has occurred and whether that is going to have a real risk of serious harm for the individual. Those terms are not defined, and that makes it quite difficult for a company to know if it is meant to report or not.

“Where there is a lack of clarity in law, and when you have got enormous fines attached to non-compliance - up to $1.8 million - businesses tend to err on the side of caution. And what we don’t want to see is over-reporting, because that doesn’t benefit the consumer. So we have got a job to do here to make sure this piece of law actually has the intended effect.”

Sangster says ADMA will continue running seminars and providing tools and resources to marketers to help them understand and prepare for the new laws.

“The real impact is on a company’s brand,” she says. “And for a marketer, that is the Holy Grail. That is why there needs to be visibility and some degree of involvement from a marketing department to make sure the brand remains strong.

“I do think over the course of the next six months, as this is talked about more and as we are doing more programs around it, the awareness will go up.”

Follow CMO on Twitter: @CMOAustralia, take part in the CMO conversation on LinkedIn: CMO ANZ, join us on Facebook:, or check us out on

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments

Latest Videos

More Videos

More Brand Posts

What are Chris Riddell's qualifications to talk about technology? What are the awards that Chris Riddell has won? I cannot seem to find ...


Digital disruption isn’t disruption anymore: Why it’s time to refocus your business

Read more



CMO's top 10 martech stories for the week - 9 June

Read more

Great e-commerce article!

Vadim Frost

CMO’s State of CX Leadership 2022 report finds the CX striving to align to business outcomes

Read more

Are you searching something related to Lottery and Lottery App then Agnito Technologies can be a help for you Agnito comes out as a true ...


The Lottery Office CEO details journey into next-gen cross-channel campaign orchestration

Read more

Thorough testing and quality assurance are required for a bug-free Lottery Platform. I'm looking forward to dependability.

Ella Hall

The Lottery Office CEO details journey into next-gen cross-channel campaign orchestration

Read more

Blog Posts

Marketing prowess versus the enigma of the metaverse

Flash back to the classic film, Willy Wonka and the Chocolate Factory. Television-obsessed Mike insists on becoming the first person to be ‘sent by Wonkavision’, dematerialising on one end, pixel by pixel, and materialising in another space. His cinematic dreams are realised thanks to rash decisions as he is shrunken down to fit the digital universe, followed by a trip to the taffy puller to return to normal size.

Liz Miller

VP, Constellation Research

Why Excellent Leadership Begins with Vertical Growth

Why is it there is no shortage of leadership development materials, yet outstanding leadership is so rare? Despite having access to so many leadership principles, tools, systems and processes, why is it so hard to develop and improve as a leader?

Michael Bunting

Author, leadership expert

More than money talks in sports sponsorship

As a nation united by sport, brands are beginning to learn money alone won’t talk without aligned values and action. If recent events with major leagues and their players have shown us anything, it’s the next generation of athletes are standing by what they believe in – and they won’t let their values be superseded by money.

Simone Waugh

Managing Director, Publicis Queensland

Sign in