Lessons from a data breach

The Optus data breach is top of mind for a lot of Australians, particularly those who have had their data breached.

For business, the breach is a timely warning on the importance of understanding what data is held on your customers (and should you hold it?), how it is secured, how your systems work and the process to identify gaps and deficiencies, the appropriate actions if and when a breach occurs, and the impact on your relationship to your customer. This is not something that can be outsourced to IT but a whole of business issue.

The obligations on business

We all know that no system is 100% secure. For Optus, this is not the first time. In 2015, Optus agreed to an enforceable undertaking for breaching the Privacy Act in 2015.

A data breach happens when personal information is accessed or disclosed without authorisation or is lost. If the Privacy Act 1988 covers your business, you must notify affected individuals and the Office of the Australian Information Commissioner when a data breach involving personal information is likely to result in serious harm. The notification must be as soon as practicable but is expected to be no later than 30 days. Every day counts.

A business must take all reasonable steps to comply with its obligations to prevent data breaches occurring. These obligations are not limited to preventing cyber attacks. Malicious or criminal attacks represent 55% of all reported data breaches. But, human error is responsible for 41% and 4% through system faults. Where human error was involved, 43% was where personal information was emailed to the wrong recipient and 21% the unintended release or publication of personal information.

How to apologise

Your relationship with your client is about trust. Beyond the breach notification requirements, the other issue is the client relationship.

So, how should a business apologise? University of Chicago economist John List, Professor Benjamin Ho from Vassar College along with other academics studied this issue for Uber ride sharing – the experiment came about after John List, who was at the time Uber’s Chief Economist, had a bad ride sharing experience. The bottom line? The apology must come at a cost to be effective. That cost can be reputational, a commitment to do better in the future (the cost is the higher standard), or a monetary cost. The paper states: First, apologies are not a panacea – the efficacy of an apology and whether it may backfire depend on how the apology is made. Second, across treatments, money speaks louder than words – the best form of apology is to include a coupon for a future trip. Third, in some cases sending an apology is worse than sending nothing at all, particularly for repeated apologies and apologies that promise to do better.

Helping to protect against data breaches

  • Understand your Privacy Act obligations. Specific industries and businesses that hold specific types of data often have advanced requirements.
  • Review the personal information held on customers. Is their full date of birth a necessary part of what your business does? If you need to verify identify, do those identification documents really need to be stored once they have been validated? Or is positive confirmation enough? Is the data held securely and is access limited to only those who require access?
  • Ensuring systems have multifactor authentication
  • Improving staff awareness of not only cyber threats and how to prevent them – phishing, fraudulent messages etc, but reviewing how personal data is managed and accessed.
  • Understanding your systems and how they work together to prevent security gaps or ‘backdoor’ systems access.