Page 18

Cover Feature Cyber Security

You’ve had a data breach … what happens next?

Y By Dr Jodie Siganto

ou know that Australia’s data breach notification amendments to the Privacy Act 1988 (Cth) become effective on 22nd February 2018. Naturally, you are busy planning your data breach response strategy. Aren’t you? Quite a bit has been written about the legal requirements relating to identifying and notifying data breaches, yet little has been said about what’s likely to happen after you notify of a breach. For example, how will the press cover the story? What happens if the Privacy Commissioner decides to investigate? Can your executives be called before the Privacy Commissioner and might you be fined? Could you be sued? This article looks at important considerations relating to your breach response plan, based on how the Office of the Australian Information Commissioner (OAIC) has handled data breach cases so far. I’ll also introduce some of the experiences in the US, where data breach notification laws have been in place for almost 15 years. How Might the Press Cover Your Story? One likely consequence of a data breach notification is that the press will find out from a tip-off or from social media (assuming they are not the source of the story in the first place). Having an effective strategy to deal with the press can reduce reputational harm, with the Australian Bureau of Statistics Census failure offering an excellent example of the reputational damage that a poorly executed communications plan can cause. Most organisations have a crisis communications

18 | Australian Cyber Security Magazine

strategy, which includes press releases and pre-prepared statements. But have you any idea how the media will treat your corporate comms? Do you expect them to adopt your language and support the same messaging? To the contrary, research from the US suggests that the press will sensationalise the ‘data breach’ aspects of the story and downplay or ignore apologies or remediation efforts. Last October’s Red Cross breach was a great example of how the media can sensationalise a data breach. A file of donor details was placed on a web facing server with directory listing enabled, meaning the file was both discoverable and accessible. The OAIC investigation indicates that only one individual found and downloaded the file before reporting the vulnerability (indirectly) to the Blood Service and others. There was no evidence of wider access to the file. However, media reports included headlines such as ‘1.3m records leaked’, ‘Australia’s biggestever data breach’, and ‘Human error exposed 550,000 donor records’, all of which implied widespread access to the information, which was not true. Your communications strategy should anticipate this type of coverage and include ways to neutralise the likely sensationalism.

What information should be given to the OAIC? If you decide you need to notify affected individuals of a data breach, a copy of that notice must be given to the OAIC.

Australian Cyber Security Magazine, ISSUE 3, 2017  

The Australian Information Security Association (‘AISA’) in agreement with My Security Media is proud to release Issue 3 of the Australian C...

Australian Cyber Security Magazine, ISSUE 3, 2017  

The Australian Information Security Association (‘AISA’) in agreement with My Security Media is proud to release Issue 3 of the Australian C...