When sensitive or personal information is stolen, goes missing or is exposed, it can potentially harm innocent people and inflict severe reputational damage on an organisation. How the organisation responds is critical to ensuring the damage does not become irreparable. 

CANNINGS PURPLE WHITE PAPER

Millions of Australians have lost control of their personal data as a result of notifiable data breaches. Three of Australia’s biggest data breaches occurred in the last 12 months.

Whether they were the result of malicious actions or negligence, individuals' details are potentially in the hands of cybercriminals, leaving them exposed to fraud and identity theft.

Cyber threats are evolving faster than any other risk management area, and business leaders must demonstrate they are taking these threats seriously.

Notifiable data breaches in Australia

A data breach is notifiable when exposed information is deemed likely to result in serious harm to any individuals affected.

If a data breach is notifiable, any organisation or agency covered by the Privacy Act 1988 must notify every affected individual as well as the Office of the Australian Information Commissioner.

Organisations have 30 days to determine if a breach is notifiable. Communications to individuals must include recommendations about the steps they should take in response to the data breach.

The most valuable information is personally identifiable, which is used to perpetrate identity fraud, fuel future phishing attacks or simply for financial gain.

Cybercrime is now a business, and a lucrative one at that.

IBM’s 2023 Cost of a Data Breach report revealed an average cost of $7 million per breach – a price tag that could potentially sink a small or medium business, or a not-for-profit organisation.

For that reason alone, malicious data breaches are not going anywhere.

Malicious attacks are the cause of 70% of notifiable data breaches, largely through ransomware, compromised or stolen credentials, or phishing emails that have exposed company networks.

But few attacks start with forcible entry into networks or system weaknesses being aggressively exploited. Cybercriminals are largely opportunists.

The Cyberthreat Defense Report released by US firm CyberEdge earlier this year suggests that 82% of all cyberattacks involve the human element.

It is inevitable that a privacy breach or cyberattack will result in a loss of trust. How quickly that trust is rebuilt comes down to response.

An effective data breach response plan should outline a strategy for identifying, containing, assessing and managing a data breach incident.

Consideration should be given to an organisation’s ability to communicate rapidly in a crisis, and across scenarios such as ransomware attack, privacy breach or supply chain breach.

Plan for a data breach crisis before you are in the middle of one.