Getting prepared for mandatory data breach reporting

We take a look at the impending mandatory data breach laws and what you need to do to meet them

There was once a time when cyber security was the domain of the IT team and its specialists.

Then in 2012, former FBI director, Robert S. Mueller, III, offered up the following quote, and no business leader who heard it ever slept quite as well again: “There are only two types of companies: Those that have been hacked, and those that will be hacked.”

Since that time cyber criminals have become more sophisticated, and broadened the range of targets they pursue. Cyber breaches against large organisations have become a weekly occurrence, often causing significant brand damage. With such inevitability, the most some organisations might hope for is that when they do happen, no one on the outside will find out.

But that hope will evaporate in February 2018, when large swathe of organisations will fall under the power of Australia’s new mandatory data breach notification laws.

Any federal government agency or commercial organisation with turnover greater than $3 million (and currently governed by the Privacy Act) will have to notify the Privacy Commissioner and affected customers as soon as practicable after becoming aware that a serious data breach of personal information has occurred. Failure to do so may result in fines that quickly climb beyond $1 million.

What actually constitutes a ‘serious’ breach is up for interpretation. It could include malicious theft or accidental loss, while personal information might include customer records and identifying details – exactly the type of data that marketers like to retain.

As to what constitutes a report-worthy breach, the legislation requires that a “reasonable person” would reach the conclusion that “serious harm” is likely to occur as a result of the breach.

According to Malcolm Crompton, former Australian privacy commissioner and now managing director at Information Integrity Solutions, every marketer should have an interest in the new law – especially as it is often marketers who are pushing for the retention and use of personal data.

“You do have an interest in this, because brand damage can cost you,” Crompton says. “And marketers may need to be more thoughtful in the actions they take in rapidly deploying new approaches to data use.”

Crompton rates the legislation as being as good as any that has been enacted elsewhere in the world, although definitions of words such as ‘real’, ‘risk’, ‘serious’ and ‘harm’ are yet to be determined by precedent. He says there are also numerous common sense provisions, such as suspending the need to notify customers if doing so would prejudice law enforcement activities.

“You have to notify the commissioner even if you think you shouldn’t have to notify the customer, because if you haven’t notified the commissioner when you should have, you’ll get a spanking,” Crompton says. “But you may be able to argue with the commissioner that notifying the customer is not necessary or not smart.”

A growing data problem

While the true scale of cyber breaches in Australia will only be known once the new law comes into force, it is commonly agreed that the problem is cyber breaches is growing worse.

In its recently-released 2017 Data Breach Digest, global communication company, Verizon, reported that “breaches are becoming more complex and are no longer confined to just the IT department, but are now affecting every department within an organisation. Each breach leaves a lingering, if not lasting imprint on an enterprise”.

Verizon Enterprise Solution’s regional managing principal for its Investigative Response group, Ashish Thapar, says interest in cyber security needs to start well outside the IT function.

“One of the very important things marketers should understand is that cyber risk responsibility drifts across all departments,” he says. “We do data breach investigations, and we are seeing the shifting of focus from servers and systems to users and people and partners and staff.”

And while the intent for many cyber criminals is to make money, the means through which they do so have broadened significantly. Thapar says customer data is very much a key target.

“We do ‘dark net’ research on the underground channels of the internet, and we see these kinds of things being sold in the market,” Thapar says. “And sometimes they put a bounty, asking for a company’s customer data by a certain date.”

This makes marketers a critical component of an organisation’s defensive posture.

“A main role of the marketing department is to enhance the company’s image and reputation and help promote the company’s product and services,” Thapar says. “Today they are having far more responsibility to prepare and actually manage the consequences of a data breach, because the reality is a lot of cost is with respect to customer loyalty, brand and reputation damage.”

Whereas previously marketers might have avoided that brand damage by simply not disclosing a breach (and hoping no one else did), with mandatory reporting organisations that experience a report-worthy breach will have nowhere to hide.

Getting on top of the new laws

According to Nick Abrahams, a partner and APAC technology practice leader at legal firm, Norton Rose Fulbright, it is hard to estimate the impact of the new laws, as there is simply no effective way to measure how many breaches are currently taking place – and hence the extent to which consumers are being kept in the dark about the vulnerability of their information.

“But come 22 February next year, the world changes dramatically, and a lot more breaches are going to have to be notified,” Abrahams says. “Once those things become public knowledge, then from a marketing point of view, you have a whole reputational issue to manage.”

Abraham’s first recommendation for any marketer is to develop a data breach notification plan, which sets out the actions that take place immediately once a breach is detected.This includes managing outbound communication, both to the regulator and to consumers, as a poor public response to a breach can be worse than the damage done during the breach itself.

Abrahams also cautions the trend to using third parties to manage and analyse data leaves organisations vulnerable. The Australian Red Cross Blood Service learned this the hard way when its website partner, Precedent, accidentally exposed 1.28 million records online.

As a result, he says Norton Rose Fulbright has developed a fixed-price privacy compliance package to help business leaders understand the risks and create a pathway to avoid breaching the new laws.

While awareness of the new legislation amongst many marketers remains low, some organisations took taken a proactive stance to the issue long before its enactment.

Chief information security officer at REA Group, Craig Templeton, says the CMO is key in both establishing and maintaining trust in the organisation’s brand and reputation.

“Having good cyber security helps to protect that trust,” he says. “It’s important CMOs have a good understanding of the organisation’s security approach so they can help co-develop a good cyber incident response plan.

“As a wholly digital company, we know people have high expectations that they are protected when they use our sites.It’s always been good business practice to understand cyber risk and how the organisation protects personal information.The new mandatory data breach laws shouldn’t change this for many Australian businesses and hasn’t changed our approach.”

The benefits

The new legislation has been of critical interest to ADMA and its offshoot organisation, Data Governance Australia (DGA), whose chairman, Graeme Samuel, last year called for a delay in the introduction of the legislation.

However, ADMA CEO Jodie Sangster says there are some benefits to the Government’s actions. “The government has been trying to bring in mandatory data reporting for a long time, so it is not a big surprise that it has come through,” she says.

“There are some benefits, in that everybody is on a level playing field, everybody is required to abide by the same rules, and it puts a standard in place.”

However, Sangster sees issues in the lack of definition around key words within the legislation.

“Three is no real clarity given as to when you are required to report a breach, and when you are not,” she says. “A lot of the assessment is left to companies, to assess themselves as to whether a serious breach has occurred and whether that is going to have a real risk of serious harm for the individual. Those terms are not defined, and that makes it quite difficult for a company to know if it is meant to report or not.

“Where there is a lack of clarity in law, and when you have got enormous fines attached to non-compliance - up to $1.8 million - businesses tend to err on the side of caution. And what we don’t want to see is over-reporting, because that doesn’t benefit the consumer. So we have got a job to do here to make sure this piece of law actually has the intended effect.”

Sangster says ADMA will continue running seminars and providing tools and resources to marketers to help them understand and prepare for the new laws.

“The real impact is on a company’s brand,” she says. “And for a marketer, that is the Holy Grail. That is why there needs to be visibility and some degree of involvement from a marketing department to make sure the brand remains strong.

“I do think over the course of the next six months, as this is talked about more and as we are doing more programs around it, the awareness will go up.”

Follow CMO on Twitter: @CMOAustralia, take part in the CMO conversation on LinkedIn: CMO ANZ, join us on Facebook:, or check us out on

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments

Latest Videos

More Videos

Invest and earn with Coinbloc .us. Guaranteed Weekly ROI, early signals, fast withdrawals among others. I recommend Coinbloc .us as on...

Hans Jensen

Explainer: What marketers need to know about cryptocurrency

Read more

Investment decisions are a big deal, so why not get some guidance? You can day-trade cryptos, BUY and HOLD and evaluate the assets with f...

Dave Sigurd

Gartner: Digital isn't enough of a superpower for CMOs anymore

Read more

I normally don’t feel comfortable investing online but because the company I worked for downsized due to the pandemic and I was one of th...

Dave Sigurd

CMO's top 8 martech stories for the week - 9 June 2022

Read more

Investment decisions are a big deal, so why not get some guidance? You can day-trade cryptos, BUY and HOLD and evaluate the assets with f...

Dave Sigurd

Creating a marketplace for wellness

Read more

A solution for an retail industry data extraction.

"e-Scraper" Data Extracting

​Catchoftheday launches fee-based online shopping club

Read more

Blog Posts

2 hidden ingredients for leadership success CMOs need to know

Your success as a senior marketing professional has much in common with your success as a leader. Both marketing, and leadership activities, depend on building trust, encouraging action, and reliably fulfilling promises that have been made.

Gerard Penna

Leadership advisor, coach

How shifting economic trends are impacting digital media

Between further interest rate rises, inflation​, empty shelves, extortionate lettuce prices, supply chain issues and the barely believable events in Eastern Europe, the past six months there’s been a cacophony of environmental factors.

Kieran Reed

Senior digital manager, Alpha Digital

5 ways to turn imposter syndrome into confidence and conviction

Imposter syndrome. That feeling others will discover you are actually not as good as they expect, and at any point you will be exposed and ridiculed as a fraud. If you can relate to this, then you are not alone.

Rowena Millward

Author, consultant

Sign in