The Optus data breach is top of mind for a lot of Australians, particularly those who have had their data stolen.
For business, the breach is a timely warning on the importance of understanding what data is held about your customers and why, how it is secured, how your systems work, the process to identify gaps and deficiencies, the appropriate actions if and when a breach occurs, and the impact on your customer relationships.
This is not something for IT to worry about alone, but a whole of business issue.
We all know that no system is 100% secure. For Optus, this was not the first time. In 2015, Optus agreed to an enforceable undertaking for breaching the Privacy Act.
A data breach happens when personal information is accessed or disclosed without authorisation or is lost. If the Privacy Act 1988 covers your business, you must notify affected individuals and the Office of the Australian Information Commissioner when a data breach involving personal information is likely to result in serious harm. The notification must be as soon as practicable but is expected to be no later than 30 days. Every day counts.
A business must take all reasonable steps to comply with its obligations to prevent data breaches occurring. These obligations are not limited to preventing cyber attacks. Malicious or criminal attacks represent 55% of all reported data breaches. But, human error is responsible for 41% and system faults for 4%. Of the human error-driven breaches, 43% saw personal information emailed to the wrong recipient and 21% saw the unintended release or publication of personal information.
Your relationship with your customers is built on trust. Beyond the breach notification requirements, the other key issue is maintaining customer relationships.
So, how should a business apologise? University of Chicago economist John List, Professor Benjamin Ho from Vassar College, along with other academics, studied this issue for Uber ride sharing – the experiment came about after John List, who was at the time Uber’s Chief Economist, had a bad ride sharing experience. The bottom line? The apology must come at a cost to be effective. That cost can be reputational, a commitment to do better in the future (the cost is the higher standard), or a monetary cost.
The paper states: First, apologies are not a panacea – the efficacy of an apology and whether it may backfire depend on how the apology is made. Second, across treatments, money speaks louder than words – the best form of apology is to include a coupon for a future trip. Third, in some cases sending an apology is worse than sending nothing at all, particularly for repeated apologies and apologies that promise to do better.
IMPORTANT NOTICE
This blog post contains general information only and has been provided by Allworths without reference to your objectives, financial situation or needs. Allworths cannot guarantee the accuracy, completeness or timeliness of the information contained here. By making this information available to you, we are not providing professional advice or recommendations. Before acting on any of the information contained here, you should seek professional advice.