Getting prepared for mandatory data breach reporting

We take a look at the impending mandatory data breach laws and what you need to do to meet them


There was once a time when cyber security was the domain of the IT team and its specialists.

Then in 2012, former FBI director, Robert S. Mueller, III, offered up the following quote, and no business leader who heard it ever slept quite as well again: “There are only two types of companies: Those that have been hacked, and those that will be hacked.”

Since that time cyber criminals have become more sophisticated, and broadened the range of targets they pursue. Cyber breaches against large organisations have become a weekly occurrence, often causing significant brand damage. With such inevitability, the most some organisations might hope for is that when they do happen, no one on the outside will find out.

But that hope will evaporate in February 2018, when large swathe of organisations will fall under the power of Australia’s new mandatory data breach notification laws.

Any federal government agency or commercial organisation with turnover greater than $3 million (and currently governed by the Privacy Act) will have to notify the Privacy Commissioner and affected customers as soon as practicable after becoming aware that a serious data breach of personal information has occurred. Failure to do so may result in fines that quickly climb beyond $1 million.

What actually constitutes a ‘serious’ breach is up for interpretation. It could include malicious theft or accidental loss, while personal information might include customer records and identifying details – exactly the type of data that marketers like to retain.

As to what constitutes a report-worthy breach, the legislation requires that a “reasonable person” would reach the conclusion that “serious harm” is likely to occur as a result of the breach.

According to Malcolm Crompton, former Australian privacy commissioner and now managing director at Information Integrity Solutions, every marketer should have an interest in the new law – especially as it is often marketers who are pushing for the retention and use of personal data.

“You do have an interest in this, because brand damage can cost you,” Crompton says. “And marketers may need to be more thoughtful in the actions they take in rapidly deploying new approaches to data use.”

Crompton rates the legislation as being as good as any that has been enacted elsewhere in the world, although definitions of words such as ‘real’, ‘risk’, ‘serious’ and ‘harm’ are yet to be determined by precedent. He says there are also numerous common sense provisions, such as suspending the need to notify customers if doing so would prejudice law enforcement activities.

“You have to notify the commissioner even if you think you shouldn’t have to notify the customer, because if you haven’t notified the commissioner when you should have, you’ll get a spanking,” Crompton says. “But you may be able to argue with the commissioner that notifying the customer is not necessary or not smart.”

A growing data problem

While the true scale of cyber breaches in Australia will only be known once the new law comes into force, it is commonly agreed that the problem is cyber breaches is growing worse.

In its recently-released 2017 Data Breach Digest, global communication company, Verizon, reported that “breaches are becoming more complex and are no longer confined to just the IT department, but are now affecting every department within an organisation. Each breach leaves a lingering, if not lasting imprint on an enterprise”.

Verizon Enterprise Solution’s regional managing principal for its Investigative Response group, Ashish Thapar, says interest in cyber security needs to start well outside the IT function.

“One of the very important things marketers should understand is that cyber risk responsibility drifts across all departments,” he says. “We do data breach investigations, and we are seeing the shifting of focus from servers and systems to users and people and partners and staff.”

And while the intent for many cyber criminals is to make money, the means through which they do so have broadened significantly. Thapar says customer data is very much a key target.

“We do ‘dark net’ research on the underground channels of the internet, and we see these kinds of things being sold in the market,” Thapar says. “And sometimes they put a bounty, asking for a company’s customer data by a certain date.”

This makes marketers a critical component of an organisation’s defensive posture.

“A main role of the marketing department is to enhance the company’s image and reputation and help promote the company’s product and services,” Thapar says. “Today they are having far more responsibility to prepare and actually manage the consequences of a data breach, because the reality is a lot of cost is with respect to customer loyalty, brand and reputation damage.”

Whereas previously marketers might have avoided that brand damage by simply not disclosing a breach (and hoping no one else did), with mandatory reporting organisations that experience a report-worthy breach will have nowhere to hide.

Getting on top of the new laws

According to Nick Abrahams, a partner and APAC technology practice leader at legal firm, Norton Rose Fulbright, it is hard to estimate the impact of the new laws, as there is simply no effective way to measure how many breaches are currently taking place – and hence the extent to which consumers are being kept in the dark about the vulnerability of their information.

“But come 22 February next year, the world changes dramatically, and a lot more breaches are going to have to be notified,” Abrahams says. “Once those things become public knowledge, then from a marketing point of view, you have a whole reputational issue to manage.”

Abraham’s first recommendation for any marketer is to develop a data breach notification plan, which sets out the actions that take place immediately once a breach is detected.This includes managing outbound communication, both to the regulator and to consumers, as a poor public response to a breach can be worse than the damage done during the breach itself.

Abrahams also cautions the trend to using third parties to manage and analyse data leaves organisations vulnerable. The Australian Red Cross Blood Service learned this the hard way when its website partner, Precedent, accidentally exposed 1.28 million records online.

As a result, he says Norton Rose Fulbright has developed a fixed-price privacy compliance package to help business leaders understand the risks and create a pathway to avoid breaching the new laws.

While awareness of the new legislation amongst many marketers remains low, some organisations took taken a proactive stance to the issue long before its enactment.

Chief information security officer at REA Group, Craig Templeton, says the CMO is key in both establishing and maintaining trust in the organisation’s brand and reputation.

“Having good cyber security helps to protect that trust,” he says. “It’s important CMOs have a good understanding of the organisation’s security approach so they can help co-develop a good cyber incident response plan.

“As a wholly digital company, we know people have high expectations that they are protected when they use our sites.It’s always been good business practice to understand cyber risk and how the organisation protects personal information.The new mandatory data breach laws shouldn’t change this for many Australian businesses and hasn’t changed our approach.”

The benefits

The new legislation has been of critical interest to ADMA and its offshoot organisation, Data Governance Australia (DGA), whose chairman, Graeme Samuel, last year called for a delay in the introduction of the legislation.

However, ADMA CEO Jodie Sangster says there are some benefits to the Government’s actions. “The government has been trying to bring in mandatory data reporting for a long time, so it is not a big surprise that it has come through,” she says.

“There are some benefits, in that everybody is on a level playing field, everybody is required to abide by the same rules, and it puts a standard in place.”

However, Sangster sees issues in the lack of definition around key words within the legislation.

“Three is no real clarity given as to when you are required to report a breach, and when you are not,” she says. “A lot of the assessment is left to companies, to assess themselves as to whether a serious breach has occurred and whether that is going to have a real risk of serious harm for the individual. Those terms are not defined, and that makes it quite difficult for a company to know if it is meant to report or not.

“Where there is a lack of clarity in law, and when you have got enormous fines attached to non-compliance - up to $1.8 million - businesses tend to err on the side of caution. And what we don’t want to see is over-reporting, because that doesn’t benefit the consumer. So we have got a job to do here to make sure this piece of law actually has the intended effect.”

Sangster says ADMA will continue running seminars and providing tools and resources to marketers to help them understand and prepare for the new laws.

“The real impact is on a company’s brand,” she says. “And for a marketer, that is the Holy Grail. That is why there needs to be visibility and some degree of involvement from a marketing department to make sure the brand remains strong.

“I do think over the course of the next six months, as this is talked about more and as we are doing more programs around it, the awareness will go up.”

Follow CMO on Twitter: @CMOAustralia, take part in the CMO conversation on LinkedIn: CMO ANZ, join us on Facebook: https://www.facebook.com/CMOAustralia, or check us out on Google+:google.com/+CmoAu

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments

Latest Videos

Conversations over a cuppa with CMO: ABC's Leisa Bacon

In this episode of Conversations over a Cuppa with CMO, ABC's director of audiences, Leisa Bacon, shares how she's navigated the COVID-19 crisis, the milestones and adaptability it's ushered in, and what sustained lessons there are for marketers as we start to recover.

More Videos

okay this a good newsmaybe i gonna try it

kenzopoker1

CMO's top 8 martech stories for the week - 9 July 2020

Read more

Very insightful. Executive leaders can let middle managers decide on the best course of action for the business and once these plans are ...

Abi TCA

CMOs: Let middle managers lead radical innovation

Read more

One failing brand tying up with another failing brand!

Realist

Binge and The Iconic launch Inactivewear clothing line

Read more

I am 56 years old and was diagnosed with Parkinson's disease after four years of decreasing mobility to the point of having family dress ...

Nancy Tunick

The personal digital approach that's helping Vision RT ride out the crisis

Read more

I am 57 and diagnosed in June 2009. I had a very long list of symptoms, some of which were. Keeping right arm close to my side while walk...

Nancy Tunick

Gartner survey: CMO spending hit by COVID-19

Read more

Blog Posts

MYOD Dataset: Building a DAM

In my first article in this MYOD [Make Your Organisation Data-Driven] series, I articulated a one-line approach to successfully injecting data into your organisation’s DNA: Using a Dataset -> Skillset -> Mindset framework. This will take your people and processes on a journey to data actualisation.

Kshira Saagar

Group director of data science, Global Fashion Group

Business quiet? Now is the time to review your owned assets

For businesses and advertiser categories currently experiencing a slowdown in consumer activity, now is the optimal time to get started on projects that have been of high importance, but low urgency.

Olia Krivtchoun

CX discipline leader, Spark Foundry

Bottoms up: Lockdown lessons for an inverted marketing world

The effects of the coronavirus slammed the brakes on retail sales in pubs, clubs and restaurants. Fever-Tree’s Australia GM Andy Gaunt explains what they have learnt from some tricky months of trading

Andy Gaunt

General manager, Fever-Tree Australia and New Zealand

Sign in