Last week we saw, it come to light, that in 2016 the Commonwealth Bank (CBA) alerted the Office of the Australian Information Commissioner (OAIC) of a potential data breach. The CBA was unable to account for the destruction of two magnetic tapes containing 20 million records. When the “destruction certificate” could not be found KMPG completed a forensic investigation and both the OAIC and APRA were alerted. The conclusion was that the tapes had most likely been disposed; they just couldn’t confirm it.
Banks hold incredibly sensitive customer information and, whether the fear is justified or perceived, the public has a very low threshold for being understanding when there has been a potential breach of their personal information.
While CBA is claiming there has been no threat to personal information and they have ensured no fraudulent activity has happened on any accounts – the other big issue at play here is around brand and reputation management. Which has genuine costs for any organisation when it comes to a data breach incident.
The public entrust their personal information to organisations and service providers on the assumption this data is protected from “harm’s way” – and when there is a data breach – this trust between the organisation and the consumer is broken. Even if the data breach does not result in any direct fines – it exposes the organisation to the potential for bad word of mouth and lost customers.
The CBA Public Relations team went straight into over-drive frantically attempting to allay the fears that any of their customer’s personal information has fallen into the wrong hands.
So, What Can We Learn From the CBA Situation?
- No organisation is immune from potentially losing important and private information of its stakeholders. Large and small organisations are all equally at risk of a data breach event occurring. If you are thinking “it won’t happen to me!” you have your head in the sand.
- The CBA chose not to inform customers at the time, and in hindsight, this might have been a misguided decision. Customers have a right to be made aware when their information may have been compromised. The Notifiable Data Breaches Scheme requires entities subject to the Privacy Act 1988 to notify individuals if their data has been involved in a breach that may result in serious harm.
- Events like this “don’t go away” and if they aren’t dealt with promptly and effectively at the time, they can come back to bite you. With the APRA report into the CBA’s poor governance – this data breach event is back into the spotlight – a headache for any business. We recommend you have an action plan in place before any data breach occurs and seek legal advice as soon as you think a data breach MIGHT have occurred.
- Hidden costs – the cost to investigate and rectify a data breach can take time away from focusing on revenue-generating tasks. Staff are distracted, and customers are impacted which can lead to an impact on the bottom line.
- Not paying enough attention to risk. And while the topic of risk management is not the sexiest, and conjures up images of checklists and procedural documents, failing to cross your T’s and dot your I’s, can have a significant impact if something does go wrong. Think of a robust risk plan as your insurance policy.
Five Steps to Protect Your Organisation:
- Assesses your current information security. Who has access to private and sensitive information, where are passwords kept. Do you have physical records that need to be secured?
- Do you have a data breach response plan? Having a structured way to deal with any incidents will help to minimise damage
- Staff training and education – its everyone’s responsibility.
- Reduce the amount of data you hold – assessing which and how much data you hold can help decide if there is any information you no longer need to keep. The less information you have, the less there is to breach.