Marketers bolster cyber credentials as data breach notification law kicks in

It's d-day for the Notifiable Data Breaches legislation today. Here, we ask marketers what they're doing - and what they should be doing - as the laws come into effect

For many Australian organisations, 22 February marks the day when they lose much of their ability to hide shortcomings in how they safeguard the personal data of clients and employees.

The introduction of the Notifiable Data Breaches (NDB) scheme means an organisation with greater than $3 million in turnover that experiences a data breach likely to result in serious harm to any individuals whose personal information is involved must notify the Office of the Australian Information Commissioner and any affected individuals.

While the wording provides some wriggle room, particularly regarding what constitutes ‘serious harm’ and ‘likely to result’, neither the Privacy Commissioner nor the general public are likely to show much favour to organisations that knowingly fail to come clean.

Consensus has been building for some time that no organisation today is truly safe from a cyberattack, and no amount of spending can render it invulnerable. That leaves organisations to consider what they will do not if – but when – a cyber breach occurs.

Defending against breaches has long been the domain of technical specialists. But given the impact prominent data breaches at Target, Sony and Equifax have had on their brand value, NDB has become a piece of legislation every marketer should be paying attention to.

Tackling NDB at Carsales

For Carsales’ Kellie Cordner, the requirements of NDB are not so much a new imposition, as simply a way of life. As chief marketing officer, Cordner shares responsibility for the cyber defences of her organisation with the rest of her executive leadership team.

“It is something we are all signed up to, and that runs through even through our board,” she tells CMO.

The organisation has had a data breach plan in place since long before Cordner joined in 2016, with an accompanying communications plan. These are audited on a regular basis, and Carsales also conducts extensive scenario planning to ensure it is covering every possibility.

Cordner says it is vital Carsales constantly monitor its brand health and the trust that customers place in it, and keeps striving to protect that.

“As a marketer, you have to absolutely 100 per cent be all over this, and so does our CFO, our general counsel, and so on,” Cordner says. 

“The last thing you want to do when you are the custodian of trust in the brand is to be putting a foot wrong. As marketers, we are the ones that use that personal data, and we are the ones that will deal with the fallout if anything happens. People do business with brands they trust. Hence our data practices are front and centre.”

They are also built into Carsales’s policies and procedures, including its induction processes, and all staff undergo annual reaccreditation.

“With my marketing group, the minute you are touching customer data you’ll go through checks and balances with our cyber team and our dev and tech guys,” Cordner says. “You may have good intentions, but we ensure they have that locked down and covered.”

Cordner’s career did not commence in the digital realm, but she has worked hard to understand the essentials of how the data she manages is protected. One of her key methods has been to find people more knowledgeable than herself and ask them for real-life examples of how cyber breaches and defences work.

“Using actual real examples is the best way I know to wrap my head around it,” Cordner says “If you are in a traditional business and venturing into this world, a lot of times you don’t know what you don’t know. You have to make it your business as leading your marketing function to understand how you do this type of thing.”

Digital defence

Cordner is not alone, and there is a growing cadre of marketers embracing not just the digital realm, but also how to defend it.

Executive director for channels and platforms at Deakin University, Lynn Warneke, says the tighter coupling of cybersecurity and brand reputation means marketers should think carefully about cyber risk implications to brands. But she believes embracing cyber also provides an opportunity, particularly for those organisations underdoing digital transformation. Studies, for example, show perceptions of brand trust impact consumers’ willingness to share their data.

“Many organisations undergoing digital transformation aim to improve the customer experience through rich personalisation, so of course acquiring customers’ personal data is critical to success,” Warneke says. “The ‘UX of cybersecurity’ starts with perceptions about an organisation’s cybersecurity posture, transparency and data capture and handling practices.”

This includes assessment of the value on offer and concludes with calculations of whether to trust the organisation to protect and use data well enough.

“Getting that ‘return-on-sharing’ correct is critical for marketers,” Warneke says. “And given cyber risk is a critical element of that equation, marketers really should be paying attention.”

But while both Corner and Warneke have embraced cyber as essential to their roles, they are likely in the minority. This may be due to disinterest or the result of the pressure of other responsibilities. Warneke suggests it may also stem from those at the frontline of cybersecurity not thinking to include marketing in their discussions.

“The majority of organisations are addressing cybersecurity today, but many still appear to define and approach it as a defensive compliance task, and compliance isn’t usually a topic that galvanises marketers, or customers for that matter,” she says. “In the digital era, those organisations with a robust cyber posture – particularly one attuned to customer expectations and calculations about brand trust – have a potential value proposition that deserves marketers’ attention.”

Not surprisingly then, getting marketers more engaged in the cyber discussion is a challenge that is being taken up by the providers of cyber defence technology.

Up next: How marketers can ask the right questions to cope with data breach laws

Page Break

Asking the right questions

Mark Phibbs is vice-president of marketing for APJ at networking and security technology maker Cisco, and a fellow of the Marketing Academy. He has been working to change the way that Cisco communicates its cyber message out to its customer base.

“One of my challenges is to take this very ‘technical’ technology and put it in the terms of the consumer,” he says. “We are trying to think about this not from Cisco out, but from customers in. The best way to do that is case studies and short stories of a day in the life of a CMO or a CEO, so they can get the picture of why this is important, and leave the technology aside.

“But they need to be asking the right questions, about ‘what is our data protection?’.”

Phibbs boils those questions down to four key points: Knowing what and where the data is, having a governance structure in place for its usage, having it protected through the right security and privacy controls, and ensuring that employees are properly educated regarding how to handle and protect data.

“I don’t expect marketers to be the experts on cyber security, but they need to be aware of the threat, and what the threat to their brand image is,” he continues. “Because once this happens, it takes a lot of great marketing to recover from it.”

Phibbs is acutely aware of the dangers a cyber breach could pose to his own organisation – as any marketer should be. But he says this knowledge can be used by marketers to help strengthen their position.

“It is the role of the CMO to talk about brand value,” he says. “We have the 16th most valuable brand in the world, and that is worth a lot of money. And if you talk to CFOs about that, that is a convincing story to invest in the right technology, people and process to minimise the risk.”

Unfortunately, that message still has some distance to travel before it reaches all Australian businesses, despite the legislation itself having been passed by Federal Parliament a year ago.

Lack of awareness

According to Canon Australia’s Business Readiness Index on Security, 60 per cent of affected businesses are unaware of the new law and what it means for them. Canon suggests smaller organisations represent a ripe target for hackers, as they often hold credentials that can see them used as unwitting back doors into much larger organisations.

“The crooks look for the weakest link,” says Asia-Pacific cyber lead at PwC, Steve Ingram. “In many cases, for the people that hold this data, they hold rich data sources for a crook to jump on a as a stepping stone to something big and better.”

Ingram believes legislation such as NDB is necessary, to drive compliance that might avert potential disasters. “This is just fundamental basic business hygiene in this new world that we find ourselves in,” he says.

But even with the new laws in place, he believes much of the market won’t move until someone is made an example of.

“First and foremost, they run the risk of losing client data,” Ingram says. “Secondly, they run the risk of bearing the wrath of the Privacy Commissioner, and I suspect they will be looking for a head on a stick. Third is the damage to their reputation if they have a breach and don’t notify anyone, and it comes out through the privacy commissioner.

“That naming and shaming will be where the real pain comes, and they need to be careful that they don’t have a history of breaches of other compliance regulations because then you start to doubt the culture of the organisation.”

And no marketer ever wants to be a dire warning for others.

Follow CMO on Twitter: @CMOAustralia, take part in the CMO conversation on LinkedIn: CMO ANZ, join us on Facebook:, or check us out on