FIVE IMPORTANT LESSONS FROM MEDIA REACTION TO DATA BREACH NOTIFICATIONS

By Helen Clarke, Partner, and Viva Paxton, Lawyer — Corrs Chambers Westgarth Lawyers | 6 Mar 2018
Databreachdisclosure

The introduction of Notifiable Data Breach laws means that from 22 February 2018, organisations subject to Australia’s Privacy Act 1988 (Cth) will be required to notify affected customers about serious data breaches. 

Australian Red Cross Blood Service (Red Cross), Domino’s, Equifax and Uber all suffered prominent data breaches in the past two years and reactions to their responses and media statements have been mixed. 

A poor response can impact share price, business image and customer confidence. 

Data breach responses involve far more than following the requirements of the Privacy Act — there are some data breach responses which have been torn apart, word by word, by the media. 

So what can we learn from the successes and failures of previous data breach responses? 

LESSON 1: SPEAK WITH ‘ONE VOICE'

In the wake of a data breach, multiple departments will be weighing in on the response — technical teams, public relations and legal will all want to have a say. 

However, it is important not to publish the response with a chorus of different authors.  

The media can be painstakingly attentive, with a commentator on the Equifax ‘bungled’ data breach response statement noting that:[1]  

As is so often the case with such statements, this is a shambolic text evincing collective and perhaps contentious authorship: Note, for example, the erratic spacing after periods, sometimes one, sometimes two. (In one case, the space seems to be missing altogether after a hyperlink.) 

In such details, we glimpse the outer edges of a hastily assembled response: Paragraphs bounced back and forth between divisions and departments over email, lawyers screaming at one another over the phone. 

This just goes to show that the reception of the statement can be based on something as superficial as the grammar. 

Make sure that a data breach response is settled by one individual, who can ensure that all parts of the statement reflect a single ‘voice’ of the organisation.  

'This has never been more important in this age of endless analysis and commentary via social media, where responses and statements are probed and picked apart as much as the incident itself,' says Geoff Elliott, joint managing partner of GRACosway, a corporate financial communications firm. 

'Managing the flow of information is increasingly complex in this media age and it is tested in times of crisis.' 

To avoid the pressures of review in a crisis situation, it is advisable to have a holding statement settled, approved and ready to go (subject to being customised for the circumstances of the data breach). 

Not only will the grammar be ironed out, it will have been drafted when the author has the luxury of time, as compared to a crisis situation.  

Just make sure it’s available in hard copy, as you never know if the time you need it is the time your IT systems are down.  

LESSON 2: ACKNOWLEDGE THE SERIOUSNESS OF A BREACH AND APOLOGISE GENUINELY 

It is imperative to ensure that the apology comes across as genuine. 

Attempts to blame others, attribute fault to systems or references to circumstances outside your control will not be well received.  

The Red Cross data breach statement is an exemplar of genuine apology because it does not shy away from the mistake:[2]  

We are incredibly sorry to our donors. We are deeply disappointed this could happen. We take full responsibility and I assure the public we are doing everything in our power to not only right this but to prevent it from happening again.  

This acceptance of responsibility was communicated, even though the specific data breach incident was caused by the Red Cross’ third party service provider. 

By contrast, the statement released by Domino’s after a data breach of customer information does not apologise for any issues but rather informs readers that it is 'investigating a potential issue with a former supplier’s systems that may have led to [personal information] being accessed as a result'. 

Its response was criticised in part for downplaying the seriousness of the incident, with one journalist obtaining additional information about the breach by threatening to report the company to the Australian Privacy Commissioner.[3]  

Further, if there is any reasonable implication that the statement is telling consumers not to worry that their personal data has been breached, there is bound to be negative media coverage. 

Equifax, in particular, was in hot water for ‘breezily’[4] introducing their huge data breach, before going on to explain that there was no evidence of unauthorised access on core databases. 

Readers want to know that you care about their personal information as much as they do, so make sure that you show it. 

'An organisation needs to genuinely convey a sense of empathy to affected stakeholders — it goes to the credibility of the firm that the seriousness of the breach is appreciated and that it will be causing concern,' adds Elliott. 

LESSON 3: (TO THE EXTENT YOU CAN) BE SPECIFIC ABOUT THE CIRCUMSTANCES OF THE BREACH 

It is clear that the shorter and vaguer the statement, the more scope it gives the media to speculate about the silences. 

It is tempting to dress up a data breach incident in jargon and point to the unlikelihood of serious risks associated with the incident. If there’s been no evidence of unauthorised access, why wouldn’t you console affected individuals with that fact? 

Unfortunately, multiple media articles demonstrate that the media’s reaction to limited information is that the organisation is hiding something – and probably hiding something sinister. 

If there’s been a technical fault, don’t be brief about it — instead give enough information for readers to understand the scope of the incident and any residual risks. 

If information has been improperly disclosed (e.g. made available on the internet), don’t downplay the risk of access and misuse. 

Domino’s was particularly criticised for suggesting that information was only 'accessed' and not 'downloaded' to their knowledge. A journalist wryly responded: 

…that’s like saying, ‘We left a binder of your personal information on the footpath and no one photocopied it. That we know of’.[5] 

It is also important to ensure that the affected individuals know exactly what data has been accessed so they can take actions to protect themselves from any potential harm that may flow. Don’t skimp on the details. 

LESSON 4: BE PROMPT IN RESPONDING

Uber is an important example of timing when it comes to a data breach response.  

Media reported that instead of notifying 57 million customers about a data breach involving their data, Uber (on the decision of an employee) paid hackers US$100,000, and hid the breach for a year. 

This undermined the trust of many Uber customers and drivers. Uber was described as concealing the breach,[6] and the media has described the incident as ‘shameful handling’[7] of a data breach. 

Fortunately, when the c-suite became aware of the cover-up, it quickly took steps to inform the public. 

Conversely, the Red Cross has been praised by the Australian Privacy Commissioner for its comprehensive response just two days after being alerted to the breach. 

The statement was published through a range of different platforms to ensure that it reached affected individuals — if an individual received multiple forms of communication (SMS and email), there was no hint that “over-notification” was an issue. 

Individuals were grateful to receive direct and comprehensive communications. 

Responding quickly with a statement about the data breach will help maintain the integrity and transparency of your business. 

If there are any hints that a business may have concealed, or attempted to conceal a breach, the media and public response can be unforgiving. 

'If your response processes are in place and you are bullet proof on facts, you won’t be marked down for action and proactivity in these circumstances,' adds Elliott. 

LESSON 5: EXPLAIN WHAT YOU’LL CHANGE IN THE FUTURE 

Ensure that your statement explains the plans that you have put in place to ensure data is kept more secure in the future. Commit to learning from your mistakes, and regaining the trust of your customers. 

A good example of this in a statement was the Uber CEO’s response to their data breach: 

None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. 

We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.[8] 

KEY TAKEAWAYS 

The media’s reaction to a data breach statement may reach more of the public than your statement, so you need to take steps to avoid the reaction harming consumer confidence and trust in your business. 

Make sure that your business is prepared in the event of a data breach. 

Respond quickly, apologise genuinely, acknowledge the seriousness, and be specific. A well-crafted statement may turn around a bad situation effectively, so the task of crafting it should be taken seriously. 

Thanks to Naomi McCarthy (CareerTrackers intern) for her assistance in preparing this article. 

References

[1] Jacob Brogan ‘Equifax’s Data Breach PR Statement, a Close Reading’, 8 September 2017 available at http://www.slate.com/blogs/future_tense/2017/09/08/a_close_reading_of_equifax_s_statement_about_its_data_breach.html 

[2] Australian Red Cross Blood Service, ‘Blood Service Apologises for Donor Data Leak’, 28 October 2016 available at http://www.donateblood.com.au/media/news/blood-service-apologises-donor-data-leak 

[3] Ben Grubb, ‘Revealed: what Domino’s Pizza (and maybe their hacker) knows about you’, 27 November 2017 available at http://www.canberratimes.com.au/technology/consumer-security/revealed-what-dominos-pizza-and-maybe-their-hacker-knows-about-you-20171127-gzthg6.html 

[4] Jacob Brogan ‘Equifax’s Data Breach PR Statement, a Close Reading’, 8 September 2017 available at http://www.slate.com/blogs/future_tense/2017/09/08/a_close_reading_of_equifax_s_statement_about_its_data_breach.html

[5] Ben Grubb, ‘Revealed: what Domino’s Pizza (and maybe their hacker) knows about you’, 27 November 2017 available at http://www.canberratimes.com.au/technology/consumer-security/revealed-what-dominos-pizza-and-maybe-their-hacker-knows-about-you-20171127-gzthg6.html 

[6] Dave Lee, ‘Uber concealed huge data breach’, 22 November 2017 available at http://www.bbc.com/news/technology-42075306 

[7] Paul Smith, ‘Uber’s shameful handling of a data breach comes ahead of Australia’s 2018 cyber shock’, 22 November 2017 available at http://www.afr.com/technology/web/security/ubers-shameful-handling-of-data-breach-comes-ahead-of-australias-2018-cyber-shock-20171122-gzqgc0 

[8] Dara Khosrowshahi, ‘2016 Data Security Incident’, 21 November 2017 available at https://www.uber.com/newsroom/2016-data-incident/

About the author

Helen Clarke  is  an astute lawyer with strong technical skills and a distinct client focus, information and communications technology and major procurement expert. 

Clarke specialises in innovative and commercially viable solutions. She is consistently sought out by major government and private sector clients for her expertise in information technology, data protection (privacy), intellectual property, technology licensing, major procurement and outsourcing arrangements across a wide range of industries including health, financial services, education and energy and resources.

This article first appeared on the Corrs Chambers Westgarth website. It is reproduced here with permission.

This article is worth 0.25 CIP Points

  • {{item.ShortMembershipLevel}}

    {{item.OnlineName}} / {{item.FriendlyCommentDateFormat}}

    • avatar{{reply.ShortMembershipLevel}}

      {{reply.OnlineName}} / {{reply.FriendlyCommentDateFormat}}

      {{reply.Comment}}

Report This Comment

Are you sure to report this comment?

Reported successfully.

This popup will be closed in 3 seconds.

Share this Page

Related Articles

  • BItcoin MC

    How do you regulate a blockchain?

    By Andrew Lumsden, Partner and Robert Franklyn, Partner — Corrs Chambers Westgarth | 30 Nov 2017

    It almost sounds like a fiendish puzzle set by The Riddler: what’s everywhere yet nowhere and can be created by anyone but knows no boundaries? It isn’t owned by a country, a company or a person. Nor does it require a legal structure. But it will turn some into billionaires. Welcome to the dark and mysterious world of cryptocurrency.

  • Cyberattacktheboard

    CYBER SECURITY AND DIRECTORS' DUTIES — HOW TO ENSURE YOUR COMPANY IS PROTECTED

    By Joel Pridmore, Munich Re, Andrew Moore, Wotton + Kearney, Richa Shukla, Khaitan Legal Associates and Saket Modi, Lucideus | 15 Feb 2018

    In this day and age, companies and their boards of directors are facing an increasing imperative to take responsibility for resilience to cyber security. As the digital economy grows, so does the risk of cyber attacks and data breaches that can have a devastating effect on investor and consumer confidence.