An old computer which is at risk from data breach.
October 19, 2022 By Tony Madden

Lessons from a data breach

Share:

The Optus data breach is top of mind for a lot of Australians, particularly those who have had their data breached.

For business, the breach is a timely warning on the importance of understanding what data is held on your customers (and should you hold it?), how it is secured, how your systems work and the process to identify gaps and deficiencies, the appropriate actions if and when a breach occurs, and the impact on your relationship to your customer. This is not something that can be outsourced to IT but a whole of business issue.

The obligations on business

We all know that no system is 100% secure. For Optus, this is not the first time. In 2015, Optus agreed to an enforceable undertaking for breaching the Privacy Act in 2015.

A data breach happens when personal information is accessed or disclosed without authorisation or is lost. If the Privacy Act 1988 covers your business, you must notify affected individuals and the Office of the Australian Information Commissioner when a data breach involving personal information is likely to result in serious harm. The notification must be as soon as practicable but is expected to be no later than 30 days. Every day counts.

A business must take all reasonable steps to comply with its obligations to prevent data breaches occurring. These obligations are not limited to preventing cyber attacks. Malicious or criminal attacks represent 55% of all reported data breaches. But, human error is responsible for 41% and 4% through system faults. Where human error was involved, 43% was where personal information was emailed to the wrong recipient and 21% the unintended release or publication of personal information.

How to apologise

Your relationship with your client is about trust. Beyond the breach notification requirements, the other issue is the client relationship.

So, how should a business apologise? University of Chicago economist John List, Professor Benjamin Ho from Vassar College along with other academics studied this issue for Uber ride sharing – the experiment came about after John List, who was at the time Uber’s Chief Economist, had a bad ride sharing experience. The bottom line? The apology must come at a cost to be effective. That cost can be reputational, a commitment to do better in the future (the cost is the higher standard), or a monetary cost. The paper states: First, apologies are not a panacea - the efficacy of an apology and whether it may backfire depend on how the apology is made. Second, across treatments, money speaks louder than words - the best form of apology is to include a coupon for a future trip. Third, in some cases sending an apology is worse than sending nothing at all, particularly for repeated apologies and apologies that promise to do better.

Helping to protect against data breaches

  • Understand your Privacy Act obligations. Specific industries and businesses that hold specific types of data often have advanced requirements.

  • Review the personal information held on customers. Is their full date of birth a necessary part of what your business does? If you need to verify identify, do those identification documents really need to be stored once they have been validated? Or is positive confirmation enough? Is the data held securely and is access limited to only those who require access?

  • Ensuring systems have multifactor authentication

  • Improving staff awareness of not only cyber threats and how to prevent them - phishing, fraudulent messages etc, but reviewing how personal data is managed and accessed.

  • Understanding your systems and how they work together to prevent security gaps or ‘backdoor’ systems access.




About Author

Tony Madden

Tony is a director of Trekk and based in our Brisbane office. He works heavily in the advisory space for his clients, focusing on strategic management consulting, mentoring, and resource planning with a driver of making a difference in their businesses and lifestyle. Tony has key strengths in building teams and is an active listener in working to address the pain points in clients' businesses. He had a passion for small business from a young age due to being brought up with a family of business owners. He's worked with larger corporations and not-for-profits, but he's always drawn back to helping and supporting small to medium (SME) businesses. That's why he's a Director of Trekk, because supporting SME is something we are all passionate about here. Outside of work, Tony has an active family with three sons that love sports, music and socialising. He enjoys having a drink and some laughs with mates and working on restoring his old EH Holden. He’s a passionate Eels NRL and Reds Rugby supporter with a love of vintage and muscle cars, 80’s Rock and keen runner (for the mind & body), Tony also has a laugh by 'acting the goat' at any event where he can embarrass his kids.

Related Posts

Submit Your Comment

Subscribe our newsletter to get
latest news & updates

Lorem ipsum dolor sit amet consectetur adipiscing elit