[BreachExchange] Australia: Data breach notification scheme no ‘armageddon’

Audrey McNeil audrey at riskbasedsecurity.com
Fri Feb 23 15:27:33 EST 2018


Australia’s Notifiable Data Breaches (NDB) scheme is in effect and the next
few months are set to test the validity of some “apocalyptic” predictions
of late.

Are a wave of data breaches going to be made public when previously they
would have been swept under the carpet or hidden from public scrutiny? My
guess is that it won’t cause the stir that many are anticipating.

The Office of the Australian Information Commission (OAIC) is responsible
for regulating the scheme and while it will provide greater visibility over
the volume and impact of data breaches affecting customers in Australia, I
don’t believe the goal is to name and shame – as much as there might be an
appetite for it in some corners.

The scheme is simply a welcome exercise in good governance and provides
greater motivation for Australian companies to manage breaches properly.

The truth is, data breaches are more of an inevitability than ever and what
makes the news is a poorly managed one. This is especially the case in an
environment where consumer trust in Australian business is declining and
there are major concerns about privacy and the way companies treat our
personal information.

In this context transparency is key and, in many cases, businesses are
judged by the manner in which they respond to and communicate about
breaches, rather than the nature of the breach itself.

The most notorious breaches in the last 12 months are a case in point, with
one of the world’s leading ride sharing companies making headlines for all
the wrong reasons.

Late last year Uber was forced to officially disclose a data breach that
affected over 57 million users on its platform way back in 2016. What
helped to make the story so sensational was the company’s alleged attempt
to cover it up by paying off those responsible.

The breach was only made public when it was reported by the press, meaning
millions of users found out their data had been compromised by reading it
first in the news rather than hearing from the company direct. Not exactly
a great way to build trust through transparency.

Delays in communicating a breach are common, particularly when the data of
so many people is affected. The NDB should help to put an end to that by
enforcing customer communication as well as reporting to the OAIC.

However, the result of accelerating the need to communicate adds additional
pressure to the required speed and quality of response and recovery
efforts. Those organisations that weather a data breach relatively
unscathed are those that act quickly to understand the extent and impact on
their customers.

They get the right people in the tent early, can immediately implement
measures to contain the breach, remediate as required and communicate to
those parties impacted.

This includes engagement early with the regulator. A poor and slow response
to a data breach may not only cause a compliance breach risk with respect
to the Privacy Act but opens the door to longer term risks of damage to
brand reputation and financial loss.

For most companies, I suspect having a data breach plan and providing
honest and timely communication to those affected will mean there isn’t
much of a story. Especially given the volume of breaches nowadays. Some
tech publications, in particular, have flagged “breach fatigue” among their
readers with a new case reported every few days.

Rather than unveiling corporate malfeasance in customer data management, I
am hopeful that the NDB will be a motivator for truth, providing a
framework for organisations to manage breaches well and build a valuable
skillset into their DNA.

The art of good breach management comes down to accountability, readiness
and transparency. Businesses must be seen to be responsible cyber citizens,
rightly held to account for a breach but in the same regard, applauded for
proactive collaboration and contribution to the community that is helping
to raise the cyber standard in Australia. This movement is well underway.

Australian businesses need to anticipate and be prepared to respond when,
not if, a breach occurs and they need to be open in their communications
with all stakeholders affected. It’s the age of transparency – customers
will demand it, the OAIC will regulate it and the best businesses will
deliver it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180223/cfd350cd/attachment.html>

More information about the BreachExchange mailing list