The Optus data breach is top of mind for a lot of Australians, particularly those who have had their data stolen.

For business, the breach is a timely warning on the importance of understanding what data is held about your customers and why, how it is secured, how your systems work, the process to identify gaps and deficiencies, the appropriate actions if and when a breach occurs, and the impact on your customer relationships.

This is not something for IT to worry about alone, but a whole of business issue.

The obligations on business

We all know that no system is 100% secure. For Optus, this was not the first time. In 2015, Optus agreed to an enforceable undertaking for breaching the Privacy Act. 

A data breach happens when personal information is accessed or disclosed without authorisation or is lost. If the Privacy Act 1988 covers your business, you must notify affected individuals and the Office of the Australian Information Commissioner when a data breach involving personal information is likely to result in serious harm. The notification must be as soon as practicable but is expected to be no later than 30 days. Every day counts.

A business must take all reasonable steps to comply with its obligations to prevent data breaches occurring. These obligations are not limited to preventing cyber attacks. Malicious or criminal attacks represent 55% of all reported data breaches. But, human error is responsible for 41% and system faults for 4%. Of the human error-driven breaches, 43% saw personal information emailed to the wrong recipient and 21% saw the unintended release or publication of personal information.

How to apologise

Your relationship with your customers is built on trust. Beyond the breach notification requirements, the other key issue is maintaining customer relationships.

So, how should a business apologise? University of Chicago economist John List, Professor Benjamin Ho from Vassar College, along with other academics, studied this issue for Uber ride sharing – the experiment came about after John List, who was at the time Uber’s Chief Economist, had a bad ride sharing experience. The bottom line? The apology must come at a cost to be effective. That cost can be reputational, a commitment to do better in the future (the cost is the higher standard), or a monetary cost.

The paper states: First, apologies are not a panacea – the efficacy of an apology and whether it may backfire depend on how the apology is made. Second, across treatments, money speaks louder than words – the best form of apology is to include a coupon for a future trip. Third, in some cases sending an apology is worse than sending nothing at all, particularly for repeated apologies and apologies that promise to do better.

Helping to protect against data breaches

  • Understand your Privacy Act obligations: specific industries and businesses that hold specific types of data often have advanced requirements 
  • Review the personal information held on customers: is knowing their full date of birth a necessary part of what your business does? If you need to verify identify, do those identification documents really need to be stored once they have been validated? Or is positive confirmation enough? Is the data held securely and is access limited to only those who require access?
  • Ensure your systems have multifactor authentication
  • Improve staff awareness of cyber threats and how to prevent them: e.g. how to spot phishing attempts and fraudulent messages, but also review how personal data is managed and accessed
  • Understand your systems and how they work together to prevent security gaps or ‘backdoor’ systems access

IMPORTANT NOTICE

This blog post contains general information only and has been provided by Allworths without reference to your objectives, financial situation or needs. Allworths cannot guarantee the accuracy, completeness or timeliness of the information contained here. By making this information available to you, we are not providing professional advice or recommendations. Before acting on any of the information contained here, you should seek professional advice.

Allworths
Allworths

Related posts

October 28, 2024

Using Super For Medical Costs: Is It Worth It?

Read more
October 21, 2024

Claiming Immediate Deductions for Depreciating Assets: A Guide for Employees

Read more
October 14, 2024

What Is Business Liability & How Can You Protect It?

Read more

Leave a Reply

Your email address will not be published. Required fields are marked *