So, you've had a data breach.... and you don't know what to tell affected individuals

As the cyber landscape grows increasingly risky, the impact of data breaches is being felt by more and more Australians. This is reflected in the Office of the Australian Information Commission’s (OAIC) dashboard which highlights an ongoing trend of data breaches.

Therefore, it’s no surprise, a shift has taken place in cybersecurity concerns from questioning ’if a company will experience a data breach to anticipating ’when’ the breach will occur (read more about the OAIC dashboard, in our article here).

This article examines how to manage the aftermath of a data breach and provides essential information to assist you in supporting affected individuals in the notification stage of your data breach response.

Should you notify?

Many data breaches will also qualify as an eligible data breach under the Notifiable Data Breach (NDB) scheme in the Privacy Act 1988 (Cth), which establishes a legislative framework for identifying and managing data breaches. If an eligible data breach occurs it is mandatory that you notify affected individuals and the OAIC.

However, there are also circumstances where legal obligations may not require notification to affected individuals but, it may still be prudent for a company to proactively inform customers about the data breach. These include:

• Shared Responsibility: In cases where your company and another corporation share responsibility for a data breach, typically the party at fault for the data breach would submit a notice to the OAIC. However, both parties have the obligation and may choose to notify their respective customers. For example, if a data storage provider experiences a breach, they will notify their customers. Your company might prefer to notify your customers directly to ensure the communication comes from a familiar and trusted source, thereby managing public perception and reinforcing customer confidence, even if the breach was not your fault (the existing contracts will also impact who discloses).
• Minor Data Breach: If a breach occurs that does not meet the threshold for mandatory notification under the Privacy Act, you may still want to notify affected individuals voluntarily. For example, it can be a useful way to establish trust.  Additionally if customers are going to hear about the breach in any event, you may prefer to be ahead of any negative press. 

It is worth observing of course that notifying customers unnecessarily could provide un-needed stress and anxiety. It is important that you consider the nuances of the situation and make a decision on what is best for those affected.

What information do you need to include in your notification?

If you have reached the conclusion to notify affected individuals then it is prudent to adopt a standard that as a minimum meets the NDB standard. Therefore your notification must contain:

• the company’s name and contact details
• a description of the breach, which may include what information was accessed and whether the data was leaked online
• the types of information involved, and
• recommended steps for individuals to protect themselves (we unpack this later).

You should also consider how the notification should occur, which may include consideration of the following:

• how the notice be provided (via email, social media, or on your website?)
• who is responsible for notifying and creating the notification
• who else other than those affected and the OAIC should be notified (for example, does your insurer need to be notified?)
• whether a law enforcement agency is investigating the breach and if it is appropriate to consult the investigating agency before making details of the breach public, and
• whether the incident triggers reporting obligations to other entities (for example, notifying the Australian Security Directorate if a ransomware payment has been made).

An effective notification should assist in reducing harm to those affected whilst also protecting your business objectives.

Helpful tips and explainers for the affected individual

As touched on previously, your notification to affected individuals must include recommendations of precautionary actions individuals can take to protect their personal information from misuse. Some affected individuals may also be distressed that their data has been leaked, and it is important to assist these individuals in feeling supported. The following tips include some helpful explainers to assist your company in supporting individuals affected by the data breach.

Checking if your data has been compromised and what does an injunction mean?

Your company can direct affected individuals to use online tools such as HaveIBeenPwned, a website developed by Australian Cyber Security Expert, Troy Hunt and recommended by the Australian Security Directorate and the ABC. The tool allows individuals to verify whether their contact details have been leaked online.[1]

Please note when using this website, it only shows a portion of breached records so a negative result does not guarantee data security. It also likely excludes information protected by court-ordered injunctions, which many entities use to limit third-party investigations (including media inquiries) into their leaked data. While an injunction helps prevent further breach damage, they also prevent affected individuals from learning if their data is available online, which is partly why most breach notifications now include information about whether the personal information has been leaked online.

Where can you find your credit reports  

Concerned individuals can review credit reports to reveal any attempts by others to apply for credit in their name. Individuals are entitled to request a free credit check through the official Australian credit reporting agencies, the three main ones are:

• Equifax
• Illion
• Experian

The OAIC has also advised that individuals check for unusual banking activity including credit card statements and suspicious activity.

What other precautionary measures can you take to protect your data?

• Remain vigilant: Verify links sent via email or text. If random phone calls from the company that was affected by a data breach are received, then the individual should act with caution and verify the caller by contacting them on a number available through official channels. Additionally, using a spam filter can also assist in the management of unsolicited messages.
• Online account passwords: individuals should not provide password details or sensitive login information to organisations even when they request it.
• Two step authentications: if possible, individuals should use two step multi-authentication for personal email accounts and any other sensitive online accounts.
• Back-up important information: regularly back up your own devices as this is helpful if the data is damaged, lost, stolen or infected by ransomware.
• Security updates: make sure devices are updated regularly and anti-virus software is installed.
• Visit resources such as: ID Care, Australian Cyber Security Centre, Scamwatch and the Office of the Australian Information Commissioner, top cyber security tips for individuals and increasing your online security with myID for further information and resource

[1] Dannielle Maguire, ’How do I check if I've been hacked? What should I be watching out for? Here's a cyber security expert's tips on how to protect yourself’ ABC News, (Australia, 28 October 2022) <How do I check if I've been hacked? What should I be watching out for? Here's a cyber security expert's tips on how to protect yourself - ABC News>.