14 Mar Is your crisis response plan data-breach ready?
Australia persists as the lucky country – 26 years of uninterrupted growth, a safe, pristine environment, and to date, no significant local data breaches reported by a company headquartered or operating here.
That may change in the next six months. From 22 February, organisations with annual turnover of more than $3m and that are subject to the Privacy Act, will be required to notify the Office of the Australian Information Commissioner (OAIC) of any data breach involving personal information that is likely to result in serious harm to any individual affected.
The OAIC refers to these as ‘eligible data breaches’ and it’s a matter of when – not if – one of these is reported to the Australian public. Because when it comes to cyber security, there’s no moat wide enough, wall high enough or barrier strong enough to stop a determined attacker.
If it can happen to Sony, Uber and Equifax, it can happen to you.
When an organisation is subject to a data breach involving sensitive personal information, it is judged as much on their public response to the breach as it is on the fact that it happened in the first place.
Fortunately, the OAIC provides a 30-day window within which organisations must notify them of the breach, allowing them time to fine-tune the data breach section of their crisis management plan to the specific circumstances.
So what do you need to do today to make sure you’re prepared for the inevitable?
Make sure you’ll be alerted when a breach occurs
Communications and marketing needs to be alerted as soon as a breach is discovered – you can’t afford to be set back 10 days when you need to communicate with everyone whose data has been breached. The quicker and more transparently you can communicate this, the better your reputation will weather the storm.
Build a data breach management scenario into your crisis plan
Remember – it’s when, not if. If you have personal information relating to anyone on any of your servers, it’s a target. So make sure you’ve engaged somebody to help prepare your organisation for the inevitable, and built in as much detail as possible. For example, have you considered if a call to each affected customer is the best form of notification for your organisation? If so, have you engaged a call centre provider who you trust to perform those calls for you?
Practice makes perfect – and practice helps iron out the kinks in your data breach crisis management plan. You’ll identify opportunities for further training, streamlining and more effective implementation.
If you haven’t already, I hope you’re able to tick at least the first item off in short order – if not complete the list. If you’re struggling Sefiani is always here to help with your issues management preparedness, including data-breach planning and scenario drills to make sure that you and your crisis team are well versed in using the plan ahead of an incident.