After a Cyber Attack - Who to Notify and When?

“Under the NDB scheme, organisations of all sizes are obliged to notify affected individuals of eligible data breaches,” says Jon Malone, General Manager AML, Fraud and Identity at Equifax.

There are significant fines for non-compliance, explains Malone, as the Office of the Australian Information Commissioner (OAIC) wants businesses to take their notification obligations seriously. 

“Once disclosure occurs, your customers can take steps to reduce the risk of harm to them.

“Of course, timing is everything. If you drag your heels and your customers find out through another source that their personal information is compromised, the damage to your reputation could be long-lasting,” he says.

Who to notify?

The NDB scheme came into effect on 22 February 2018. Its rules apply to all agencies and organisations that are covered by the Australian Privacy Act 1988 (Cth), which includes most businesses with an annual turnover over $3 million, as well as regulated organisations under the Privacy Act with lower yearly turnovers. 

When a data breach occurs, the NDB specifies that your priority is to contain the breach and take remedial action. If this corrective action fails to mitigate the risk of serious harm, you must notify the Commissioner and the affected individuals.

What does breach notification involve?

The OAIC has an online form that can be used to prepare a statement to the Commissioner about the breach. When notifying customers, you can use your usual means of communication, whether it be a letter, email, phone or online. The notification must include the type of breach, the personal information affected and advice about what they should do.

Clarity and accessibility are crucial elements when communicating with customers. Ensure your message is clear and in plain English, says Malone. Advise them what steps to take to remediate their affected identity or protect themselves. And offer means of support, such as a helpline or a micro-website.

“Ensure your customer communication contains contact details of credit reporting bodies such as Equifax so they can contact us and put an alert or ban on their credit file.” 

The next step is to guide customers towards an Access Seeker model like Get Credit Score. Free to join, customers can access and monitor their credit scores on an ongoing basis. Consumers can also subscribe to credit monitoring plans such as Your Credit & Identity where consumers can access their credit file, receive credit alerts notifying of any changes to their record, as well as dark web monitoring depending on the plan type chosen. These alerts can provide a crucial early warning of identity theft. 

Malone urges businesses to provide customers with the contact details of an identity remediation partner. “IDCARE is a not-for-profit charity and Australia’s largest identity and cyber support service. They can work with your customers to go through the steps needed for mitigation,” he says.

It’s vital to prepare your staff for how to field customer questions about the breach, says Malone. “Customers are spending hours trying to remediate their affected identity, so the implications for them are genuine and painful,” he says.

“Ensure your staff come across as being able to empathise with your customers about what an exhausting and exacerbating process this is for them.”

When is a data breach notifiable?

Three criteria define whether an incident is considered an ‘eligible data breach’ and notifiable under the NDB scheme.

Criteria #1: Your customer’s personal information is compromised in any of these ways:

• Unauthorised access, such as when a security system is compromised.
• Unauthorised disclosure, such as when a staff member sends personal information in an email to the wrong recipient or your customer database is accidentally made publicly available on the internet.
• Lost, such as when data storage devices or laptops are misplaced.

Criteria #2: The breach is likely to result in serious harm to one or more individuals.

The definition of serious harm isn’t included in the Privacy Act, so keep in mind the damage can take any form, including psychological, physical and reputational.

Criteria #3: Your efforts to prevent the likely risk of serious harm with remedial action haven’t worked.

The Commissioner expects that you have conducted an assessment to determine whether there are reasonable grounds to suspect there may have been an eligible data breach. And this assessment is expected to be completed quickly or within a maximum of 30 calendar days of becoming aware. Companies that react faster have a better chance of minimising the harmful implications.

What is considered ‘personal information’?

Personal information is described under the Privacy Act as “information or an opinion about an identified individual, or an individual who is reasonably identifiable”. Examples include name, date of birth, credit card details and medical records. Note that the definition extends to any information that identifies or reasonably identifies an individual. 

Some information might be perceived as not ‘personal’ enough to identify an individual, but when combined with other information it might. Malone explains that when assessing what is personal information in the context of an eligible data breach, you should ask yourself whether there is a connection between the data and the person. Is there even a hint of potentially identifiable information?

Your business procedures for assessing a suspected breach will help you evaluate whether the information identifies or reasonably identifies an individual. For the assessment, gather relevant information like the nature of the affected data, the amount, who will have access to it and potential impacts. 

When you’re in doubt, the Commissioner advises you err of the side of caution and treat the information as personal.

Who is responsible if you’re using a third party?

If you’re using a cloud-managed service provider or are in a joint venture, the responsibility for dealing with a data breach is shared by both parties. A data breach by one entity affects all entities that jointly hold the personal information and all have obligations under the NDB scheme. When it comes to notifications, generally the Commissioner suggests that the body with the most direct relationship with the individual affected by the breach should notify them. 

“It’s vital to get these responsibilities in writing at the start of your contractual relationship with a third party,” advises Malone.

“From the outset, you need to be clear what takes place if there is a data breach and who looks after each step of the process. Include this in your data breach strategy <link to ‘How to Protect Your Business From Cyber Threats’ article when published>, so all parties can move quickly to respond to a cyberattack.” 

Equifax has a range of products and services that can help businesses verify identify and mitigate fraud risk. Contact us to find out more.

The information contained in this article is general in nature and does not take into account your organisation's objectives, financial situation or needs.  Therefore, you should consider whether the information is appropriate to your organisation's circumstance before acting on it, and where appropriate, seek professional advice.