Make the call - Whitepaper

CANNINGS PURPLE WHITE PAPER

Data breach

Chris Leitch is Cannings Purple's data breach communications lead, driving risk management projects and shaping strategies for clients that allow leaders to be prepared and agile in crisis and issues management.

He is available to lead or support projects around data breach preparedness, including development of communications plans, scenario planning, auditing and testing existing plans, helping to build a secure data culture and developing data breach simulations to test resilience.

Community understanding about the protection of personal information has been growing in the digital transformation era and people are gravely concerned about their privacy.

An OAIC survey found a sharp rise in the number of Australians who feel data breaches are the biggest privacy risk they face today and nine in 10 people want more to be done to protect personal information.

In the survey, only four sectors (health, federal government, finance and education) were more trusted than not by Australians to handle their personal information.

The databases of telecommunications firm Optus were hacked in 2022, in one of the biggest breaches in Australian history. Up to 9.8 million current and former customers had personal data such as phone numbers, addresses, Medicare and driver’s licences stolen.

Optus CEO Kelly Bayer Rosmarin, reflecting on the data breach at a business lunch in March 2023, said the company did everything it could to protect customers but it was clear they were unprepared in terms of communications.

“We sent out 16 million customer communications [with] 110 different bespoke messages for the different cohorts...

“There were a couple of messages that, when you read them, you thought: ‘Oh, this looks like it’s been written by someone who hasn’t slept in four days’.

“I wish every single one of those 110 communications had been to our usual level of quality.”
- AFR, March 2023

Communications with clients and customers are the public facing interactions but the clarity of messages to staff, suppliers, and other stakeholders are equally important.

The Optus data breach

Close

Case study

Continue reading below

Why an action plan is critical

Fewer than half of people trust organisations to only collect the information they need, use and share information as they say they will, store information securely, give individuals access to their information and delete information when no longer needed.

The Australian Government is set to strengthen legislative protections on the back of a review of the Privacy Act handed down earlier this year.

Three proposed areas of significant change have been outlined by law firm Lander & Rogers:

Removal of small business and employee records exemptions, which would require businesses with turnover of less than $3 million to introduce or uplift their current privacy compliance program.
Mandatory privacy impact assessments, which would necessitate a privacy impact assessment prior to undertaking a “high privacy risk activity”.
Protection of de-identified information, a change that would require entities to take reasonable steps to protect de-identified information and ensure overseas entities do not re-identify any information that has been de-identified.

Clearly, the trust that people have with how organisations handle data is fragile at best, and managing privacy issues and communicating protection measures is vitally important.

It is inevitable that trust and confidence will be shaken by a data breach but how quickly that confidence is rebuilt can come down to the communication response.

A communications plan can sometimes be forgotten or is the last piece of the puzzle in developing a risk management strategy for data breaches.

But a flawed or poorly executed plan can further compound the reputational damage, and preparedness is a critical component to handling any data breach.

No crisis communication strategy can be effective if it is developed during a crisis.

A communications plan should consider:

Legal, regulatory, employer, moral or ethical reporting obligations
Where are the data breach risks internally, and where are the risks on the supply chain?
Stakeholder mapping: Who will lead communication actions? Who will make the calls?
Risk tolerance in the organisation as well as among stakeholders and suppliers
Developing a culture of risk awareness

Assessing an organisation’s current response capability is the first step in preparing a plan. Consider lines of communications internally and the stakeholder segments that will need to be engaged or notified, including regulators.

An understanding about how data is accessed within the organisation and through its supply chain can identify gaps in security protocols and facilitate the development of a security culture.

Consideration should be given to an organisation’s ability to communicate rapidly in a crisis across scenarios such as ransomware attack, privacy breach or supply chain breach, and develop a plan that includes collateral for several data breach risk scenarios.

Once you have a plan, it needs to be stress tested. Like a fire drill, communication channels can be evaluated to deliver an awareness among key staff about actions and plans assessed in a real-world environment.

An effective data breach response plan should outline a strategy for identifying, containing, assessing and managing a data breach incident.

Despite the best cybersecurity and technology efforts, data breaches are on the rise and best practice is for companies and organisations to be prepared for the worst.

Organisations must be thinking about how they will communicate with key stakeholders in the event of a breach.

Dealing with a data breach, and the fallout publicly, internally and among key stakeholders, is a highly challenging situation and it often comes with a long tail. The best practice is planning for a data breach crisis before you are in the middle of one.

Data breaches hit without warning. Being slow to act in a crisis can be as damaging as the breach itself, and business leaders should be prepared and ready to respond.