Trust is the basis of business relationships. And transparency is the basis of trust. So what should you do if a data breach occurs in your organisation? We can look to the new Notifiable Data Breaches (NDB) scheme in Australia for some guidance on the topic.
While countries around the world are ramping up their data breach legislation (see details in the free ebook, Managing Data Risk in the Enterprise), Australia has advanced their legislation with a focus on notification requirements post a breach event.
It rules that relevant organisations must notify the authorities and individuals that have had their personal information caught up in a data breach that could cause serious harm.
According to the Office of the Australian Information Commissioner (OAIC), this notification must include recommendations about steps individual customers can take given the breach has occurred. The scheme was live on 22nd February 2018, and in March saw 55 data breaches reported*.
The scheme encourages a spirit of transparency. Where organisations might have kept a breach secret once before, today it is encouraged to notify not only for legislative compliance, but as the best policy for building authentic customer relationships and a brand people can trust.
Post-breach, customers want to see a clear explanation as to what happened and what actions are being taken to resolve the issue. Many people are willing to forgive, however only if a company does what they can to remedy the situation, acknowledge any wrongdoing, advise all actions, and potentially provide compensation.
Consider the following actions should a breach occur.
- Stop the leak before doing anything else. The OAIC recommends your first step be to contain a suspected or known breach wherever possible. This means limiting any further access or distribution of affected personal information and the possible compromise of other information.
- Where possible, you should then recover lost information and change access controls plus the location of the data to reduce any ongoing potential harm.
- Next, consider whether the data breach is likely to result in serious harm to any of the individuals involved, and if so, what that harm may be. If it's deemed there could be harm involved, then notification must occur for legislative compliance (in Australia and other constituencies - see your local authorities for details), and for the health of your brand going forward.
- In Australia, this notification must be to the authorities and affected individuals. This may include a statement on your website to provide all details of the breach, an apology, plus an outline of what is being done to manage and then remedy the breach.
- Consider then making your customers feel in control of their personal information post-breach by allowing them to re-confirm their preferences when the breach has been resolved.
- You may also wish to consider compensating any victims based on the severity of the attack as this could be a lower cost option than having to rebuild your customer base all over again.
Remember, trust is the key to success, and transparency is the key to trust.
You need to aim for the best customer experience possible during the critical time following a security breach. While this is a compliance requirement now in many parts of the world including Australia, it is also an act of good faith that organisations might want to consider whether they are obliged to legally or not.
The irony is that communicating real-time updates can work to strengthen the relationship between your business and customer base and provide potential opportunities for more in-depth engagement and loyalty than ever before (although this will depend on your circumstances and the way in which you manage this communication).
Finally, you need to act in a positive and genuine manner going forward. Make changes to your cyber security and privacy policies and processes, boost your data governance regime, and consider new technologies such as data masking and data encryption as found in FUJITSU Enterprise Postgres.
If you have data security concerns and are looking for a more robust, secure and scalable database, then contact one of our experts on +612 9452 9191.