Cyber Security
Breach notification isn’t just about breach notification
M By Samantha Humphries
andatory breach notification is fast becoming a requirement all over the world. Whether you need to comply with GDPR on a global level, with NDB more locally in Australia, or another regulation that’s relative to your vertical, it’s becoming more common place. And, frankly, it’s about time. Data has long had a monetary value attached to it, whether it be personal data, financial data, proprietary data, or state secrets. Stolen login credentials can trade hands on the dark web for a mere handful of cents, and with password reuse an all too common occurrence, it’s not complicated for an attacker to gain access to a whole lot more information, with a small amount of effort. I’m not going to go into lecture mode about password hygiene right now. As security professionals, we all know the drill, so we understand it’s on us to both educate and protect the users as best we can. I do want to share a story with you about a person I met last year, who had been through the nightmare that is identity theft. This person is certainly not counting the pennies in their bank account; their credit rating was incredible; yet they now have to
54 | Australian Cyber Security Magazine
prove that they are really, really, really them every time they speak to financial or service providers, and their once awesome credit rating is most definitely in repair mode. The ‘other them’ took out loans, credit cards, store cards in their name, changed their address multiple times, and took out utility contracts in order to get ‘proof’ of address. To get this resolved is still taking up a lot of their time, and there is no one throat to choke, when it comes to getting assistance. This story, which is by no means an isolated event, goes to show how leaked personal data can have a massive impact on someone’s life. So as a person who shares my data with organisations, I am very pleased to see that regulatory compliance is putting the onus on both protecting my data and letting me know if it’s fallen into the wrong hands. Breach notification, whilst not something that is “fun”, is just one part of the incident response puzzle. The act of sending an email to customers or updating some code on a webserver is something that happens regularly, but getting the message right is critical. Crafting the message in a way that resonates with your customers isn’t something that