15 February 2018
The introduction of Notifiable Data Breach laws means that from 22 February 2018, organisations subject to Australia’s Privacy Act 1988 (Cth) will be required to notify affected customers about serious data breaches.
Australian Red Cross Blood Service (Red Cross), Domino’s, Equifax and Uber all suffered prominent data breaches in the past two years and reactions to their responses and media statements have been mixed. A poor response can impact share price, business image and customer confidence.
Data breach responses involve far more than following the requirements of the Privacy Act – there are some data breach responses which have been torn apart, word by word, by the media. So what can we learn from the successes and failures of previous data breach responses?
In the wake of a data breach, multiple departments will be weighing in on the response – technical teams, public relations and legal will all want to have a say.
However, it is important not to publish the response with a chorus of different authors. The media can be painstakingly attentive, with a commentator on the Equifax ‘bungled’ data breach response statement noting that:
As is so often the case with such statements, this is a shambolic text evincing collective and perhaps contentious authorship: Note, for example, the erratic spacing after periods, sometimes one, sometimes two. (In one case, the space seems to be missing altogether after a hyperlink.) In such details, we glimpse the outer edges of a hastily assembled response: Paragraphs bounced back and forth between divisions and departments over email, lawyers screaming at one another over the phone.
This just goes to show that the reception of the statement can be based on something as superficial as the grammar.
Make sure that a data breach response is settled by one individual, who can ensure that all parts of the statement reflect a single ‘voice’ of the organisation.
“This has never been more important in this age of endless analysis and commentary via social media, where responses and statements are probed and picked apart as much as the incident itself,” says Geoff Elliott, joint managing partner of GRACosway, a corporate financial communications firm. “Managing the flow of information is increasingly complex in this media age and it is tested in times of crisis.”
To avoid the pressures of review in a crisis situation, it is advisable to have a holding statement settled, approved and ready to go (subject to being customised for the circumstances of the data breach). Not only will the grammar be ironed out, it will have been drafted when the author has the luxury of time, as compared to a crisis situation.
Just make sure it’s available in hard copy, as you never know if the time you need it is the time your IT systems are down.
It is imperative to ensure that the apology comes across as genuine. Attempts to blame others, attribute fault to systems or references to circumstances outside your control will not be well received.
The Red Cross data breach statement is an exemplar of genuine apology because it does not shy away from the mistake:
We are incredibly sorry to our donors. We are deeply disappointed this could happen. We take full responsibility and I assure the public we are doing everything in our power to not only right this but to prevent it from happening again.
This acceptance of responsibility was communicated, even though the specific data breach incident was caused by the Red Cross’ third party service provider.
By contrast, the statement released by Domino’s after a data breach of customer information does not apologise for any issues but rather informs readers that it is “investigating a potential issue with a former supplier’s systems that may have led to [personal information] being accessed as a result”.
Its response was criticised in part for downplaying the seriousness of the incident, with one journalist obtaining additional information about the breach by threatening to report the company to the Australian Privacy Commissioner.
Further, if there is any reasonable implication that the statement is telling consumers not to worry that their personal data has been breached, there is bound to be negative media coverage. Equifax, in particular, was in hot water for ‘breezily’ introducing their huge data breach, before going on to explain that there was no evidence of unauthorised access on core databases.
Readers want to know that you care about their personal information as much as they do, so make sure that you show it.
“An organisation needs to genuinely convey a sense of empathy to affected stakeholders – it goes to the credibility of the firm that the seriousness of the breach is appreciated and that it will be causing concern,” adds Elliott.
It is clear that the shorter and vaguer the statement, the more scope it gives the media to speculate about the silences.
It is tempting to dress up a data breach incident in jargon and point to the unlikelihood of serious risks associated with the incident. If there’s been no evidence of unauthorised access, why wouldn’t you console affected individuals with that fact?
Unfortunately, multiple media articles demonstrate that the media’s reaction to limited information is that the organisation is hiding something – and probably hiding something sinister.
If there’s been a technical fault, don’t be brief about it – instead give enough information for readers to understand the scope of the incident and any residual risks.
If information has been improperly disclosed (e.g. made available on the internet), don’t downplay the risk of access and misuse. Domino’s was particularly criticised for suggesting that information was only “accessed” and not “downloaded” to their knowledge. A journalist wryly responded:
…that’s like saying, ‘We left a binder of your personal information on the footpath and no one photocopied it. That we know of’.
It is also important to ensure that the affected individuals know exactly what data has been accessed so they can take actions to protect themselves from any potential harm that may flow. Don’t skimp on the details.
Uber is an important example of timing when it comes to a data breach response. Media reported that instead of notifying 57 million customers about a data breach involving their data, Uber (on the decision of an employee) paid hackers US$100,000, and hid the breach for a year. This undermined the trust of many Uber customers and drivers. Uber was described as concealing the breach, and the media has described the incident as ‘shameful handling’ of a data breach. Fortunately, when the c-suite became aware of the cover-up, it quickly took steps to inform the public.
Conversely, the Red Cross has been praised by the Australian Privacy Commissioner for its comprehensive response just two days after being alerted to the breach. The statement was published through a range of different platforms to ensure that it reached affected individuals – if an individual received multiple forms of communication (SMS and email), there was no hint that “over-notification” was an issue. Individuals were grateful to receive direct and comprehensive communications.
Responding quickly with a statement about the data breach will help maintain the integrity and transparency of your business. If there are any hints that a business may have concealed, or attempted to conceal a breach, the media and public response can be unforgiving.
“If your response processes are in place and you are bullet proof on facts, you won’t be marked down for action and proactivity in these circumstances,” adds Elliott.
Ensure that your statement explains the plans that you have put in place to ensure data is kept more secure in the future. Commit to learning from your mistakes, and regaining the trust of your customers. A good example of this in a statement was the Uber CEO’s response to their data breach:
None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.
The media’s reaction to a data breach statement may reach more of the public than your statement, so you need to take steps to avoid the reaction harming consumer confidence and trust in your business.
Make sure that your business is prepared in the event of a data breach. Respond quickly, apologise genuinely, acknowledge the seriousness, and be specific. A well-crafted statement may turn around a bad situation effectively, so the task of crafting it should be taken seriously.
Corrs Cyber is a rapid-response cyber security team, created to help organisations prepare for and recover from a cyber-attack or data security breach. Our multidisciplinary team provides access to data breach management specialists, including legal advisers, IT forensic investigation specialists, cyber risk and incident response consultants, and crisis and reputation management services. With the ability to respond to any type of cyber incident, the Corrs Cyber team offers a complete, solution-based round-the clock cyber incident service.
Thanks to Naomi McCarthy (CareerTrackers intern) for her assistance in preparing this article.
 Australian Red Cross Blood Service, ‘Blood Service Apologises for Donor Data Leak’, 28 October 2016 available here.
The content of this publication is for reference purposes only. It is current at the date of publication. This content does not constitute legal advice and should not be relied upon as such. Legal advice about your specific circumstances should always be obtained before taking any action based on this publication.