Lessons from a data breach

The Optus data breach is top of mind for a lot of Australians, particularly those who have had their data breached.

For business, the breach is a timely warning on the importance of understanding what data is held on your customers (and should you hold it?), how it is secured, how your systems work and the process to identify gaps and deficiencies, the appropriate actions if and when a breach occurs, and the impact on your relationship to your customer. This is not something that can be outsourced to IT but a whole of business issue.

The obligations on business

We all know that no system is 100% secure. For Optus, this is not the first time. In 2015, Optus agreed to an enforceable undertaking for breaching the Privacy Act in 2015.

A data breach happens when personal information is accessed or disclosed without authorisation or is lost. If the Privacy Act 1988 covers your business, you must notify affected individuals and the Office of the Australian Information Commissioner when a data breach involving personal information is likely to result in serious harm. The notification must be as soon as practicable but is expected to be no later than 30 days. Every day counts.

A business must take all reasonable steps to comply with its obligations to prevent data breaches occurring. These obligations are not limited to preventing cyber attacks. Malicious or criminal attacks represent 55% of all reported data breaches. But, human error is responsible for 41% and 4% through system faults. Where human error was involved, 43% was where personal information was emailed to the wrong recipient and 21% the unintended release or publication of personal information.

How to apologise

Your relationship with your client is about trust. Beyond the breach notification requirements, the other issue is the client relationship.

So, how should a business apologise? University of Chicago economist John List, Professor Benjamin Ho from Vassar College along with other academics studied this issue for Uber ride sharing – the experiment came about after John List, who was at the time Uber’s Chief Economist, had a bad ride sharing experience. The bottom line? The apology must come at a cost to be effective. That cost can be reputational, a commitment to do better in the future (the cost is the higher standard), or a monetary cost. The paper states: First, apologies are not a panacea – the efficacy of an apology and whether it may backfire depend on how the apology is made. Second, across treatments, money speaks louder than words – the best form of apology is to include a coupon for a future trip. Third, in some cases sending an apology is worse than sending nothing at all, particularly for repeated apologies and apologies that promise to do better.

Helping to protect against data breaches

  • Understand your Privacy Act obligations. Specific industries and businesses that hold specific types of data often have advanced requirements.
  • Review the personal information held on customers. Is their full date of birth a necessary part of what your business does? If you need to verify identify, do those identification documents really need to be stored once they have been validated? Or is positive confirmation enough? Is the data held securely and is access limited to only those who require access?
  • Ensuring systems have multifactor authentication.
  • Improving staff awareness of not only cyber threats and how to prevent them – phishing, fraudulent messages etc, but reviewing how personal data is managed and accessed.
  • Understanding your systems and how they work together to prevent security gaps or ‘backdoor’ systems access.

Note: The material and contents provided in this publication are informative in nature only.  It is not intended to be advice and you should not act specifically on the basis of this information alone.  If expert assistance is required, professional advice should be obtained.

Schedule a consultation with a business expert.

Get expert advice

At Latter Kennedy, we do more than just financial services and tax returns. Schedule an obligation-free consultation and let us help you to get back on track to achieving your accounting, business and taxation goals.

Schedule a Consultation
lk images 87
View all Insights
  • pexels andrey belavin 71368084 8412268 e1738826367917

    Fuel Tax Credits Rate Change – 3 February 2025

    Fuel Tax Credit rates can change regularly. It is important that you ensure you are using the correct rates when calculating your fuel tax credits dependant on the date the fuel was purchased. Current fuel tax credit rates are as follows: Rates for fuel acquired from 3 February 2025 to 30 June 2025 Eligible fuel typeUsed in heavy vehicles for…

    Taxation
  • Tax deduction denied for signature basketball shoe R&D

    The Federal Court has denied a sports company’s appeal to claim research & development incentives for the creation of an Australian signature basketball shoe. The Movie Air highlighted the importance of the signature Air Jordan shoe to Nike. While expected to sell around $3 million worth of shoes by its fourth year, the signature shoe eclipsed expectations raking in $126…

    Taxation
  • Phasing out cheques

    The Government has announced a transition plan to phase out the use of cheques. Under the plan, cheques will stop being issued by 30 June 2028 and stop being accepted on 30 September 2029. The use of cheques has declined dramatically over the last 10 years, declining by around 90%. In response, banks have stopped issuing chequebooks to new customers.…

    General News
View all Insights