Mandatory reporting of data breach laws demand action

Dependency on technology has resulted in an increased risk of cyber-attacks. Sarah-Jane Aston looks at the plans you need to have in place under the new mandatory reporting laws for when – not if – the attack comes. 

The recent Wannacry global attack that affected at least 150 countries and more than 200,000 computers is an example of how much of an impact a data breach can have on business.

It saw computers in organisations that ranged from hospitals to banks to corporates encrypted by a modern-day highway robbery tactic known as ransomware: Pay up in bitcoin or your data gets it.

Beyond the operational implications, the reputational impact can be huge. Gone are the days when organisations could relegate the responsibility of cyber-security to their IT departments. It’s now up to boards and management teams to ensure each company has a solid cyber crisis management plan in place.

From a communication perspective, preparing a plan to engage with your stakeholders in the aftermath of a cyber-attack is as important as preparing and monitoring your IT infrastructure. The potential damage to an organisation’s reputation if an unreported cyber-attack is later revealed is limitless.

In fact, from February 22, 2018, mandatory reporting will mean that if an organisation subject to the Australian Privacy Act 1988 is affected by an “eligible data breach”, it will be legally obliged to alert both the Australian Information Commissioner and the people whose data has been compromised.

An eligible violation is defined as “data breaches, including data loss incidents, where a reasonable person would conclude that the breach would be likely to result in serious harm to any of the affected individuals”. Organisations have 30 days to complete an assessment of a suspected breach and if an “eligible data breach” is deemed to have occurred they must provide affected individuals with the following information:

• The identity of the organisation;
• The description of the breach;
• The kind of information concerned;
• Recommendations to the individual as to steps to take in response to the breach.

It’s not immediately clear from that definition whether last week’s ransomware attack would count, though it is likely it would incorporate a data loss incident, even if it looks like the data is being locked rather than stolen.

For ASX-listed companies that are subject to continuous reporting obligations, there is the added layer of shareholder reporting. Despite potentially not being in a position to quantify the violation at an early stage, there is a requirement to report material information as soon as practicable.

The solution, at least from a reputation management standpoint, is clear: a crisis communication plan that identifies key stakeholders, protocols and required engagement will ensure your business is well-prepared should the unthinkable happen.

So, from a practical perspective, what are the key things to consider?

First of all, recognising there has been an issue, and sharing what you are doing about it, is vital. There may be different messages for different stakeholders, but getting on the front foot and acknowledging the issue is always a better tactic than hoping it remains secret. Being transparent about the information you currently have, and that which you don’t yet know, is also vital.

Secondly, offering support to those affected is important, but only if it’s genuine. There’s no point having one set of public messages if your private behaviour doesn’t support your position. Transparency and honesty are important.

Communicating with staff will also be critical to ensure they are aware of what’s happened, wary for signs of another attack and clear about the organisations communication and social media policy. Customer-facing employees will require briefing on the amount of information they can relay. Informing and reassuring staff regarding the status of their own personal data is also incredibly important.

Perhaps most importantly, recognise when you need support. If your organisation lacks the resources necessary to create or implement a cyber crisis communication strategy, seek out support.

Sarah-Jane Dabarera is the Account Services Co-Ordinator for Purple’s Design and Digital team and has communications experience in the legal, property and innovation and technology sectors. She is  IAP2-certified in community and stakeholder engagement. Contact Sarah-Jane.

Purple has the expertise and experience to ensure your organisation is prepared for a cyber-attack and to assist you to manage situations as they unfold. If you would like to discuss your cyber crisis communication plan, please contact us on 08 6314 6300.