Australia’s Mandatory Data Breach Reporting Scheme: a year on what have we learned?
Why would it be offensive when someone tells you they care about the very thing you want them to care about? When your behaviour harms another because you overlooked something important, isn’t it good to convey that you do in fact care about that thing?
This might seem intuitive in the context of personal relationships, but often falls flat when organisations talk about privacy and cyber security. In this article, we remind ourselves that demonstrating a commitment to privacy goes beyond soundbites and snappy one-liners.
“[Insert company name] takes privacy and security seriously” is increasingly one of the more jarring (and ill-advised) things a company can say today, especially in the wake of a breach.
It doesn’t sit well with journalists. You can almost hear their collective sigh every time a media statement containing that phrase is launched from corporate HQ.
Yet companies do put it in there, and usually at the very top.
Earlier this year, TechCrunch journalist Zack Whittaker scoured every data breach notification in California and found a third of companies had some variation of this “common trope”.
Whittaker wasn’t impressed: “The truth is, most companies don’t care about the privacy or security of your data. They care about having to explain to their customers that their data was stolen.”
For years, companies adopted a cloak-and-dagger attitude to any public commentary about privacy and security. “We don’t discuss matters of security” was a handy way for corporate affairs teams to bat away pesky tech and infosec journos, much like they might say “the matter is before the courts” in other awkward contexts.
This approach began to fray as companies realised cyber security and privacy issues weren’t purely technical stories. Breached data impacted real people today. Vulnerable systems could affect people tomorrow. And the community was becoming more vocal and aware.
We began to see companies eager to show they cared. And so … “We take privacy and security very seriously.”
But why should that rankle so much?
Simply because we intuitively detect something’s not right when a company or a person in our life glibly tells us they hold a position that contrasts with the evidence. In fact, it’s awkward.
Ask Mark Zuckerberg. Earlier this month, standing under a banner that read “the future is private”, the Facebook CEO proclaimed privacy was at the heart of Facebook’s new strategy. The awkwardness was so intense that Zuckerberg even sought to dissolve it with humour, rather unsuccessfully.
The gap between messages of care and diligence for data protection and what consumers actually experience doesn’t only relate to Facebook.
A number of breaches are the result of insufficient regard by a company for how customer data is used – such as unauthorised sharing with third parties – or the result of an avoidable mistake – like failing to fix a security flaw in a server where the patch has been available for months. And when companies insist they care while simultaneously trying to evade their responsibilities, tempering a sense of cynicism becomes even harder.
The state of the cyber landscape contributes too. Threats are intensifying, more breaches are happening and there’s mandatory reporting requirements. Pick up a newspaper and odds on there’s a breach story in there. It’s not unreasonable for consumers to think there’s an epidemic of businesses losing sensitive data, yet somehow they’re all identically proclaiming to take data protection very seriously. It doesn’t add up.
At the same time, it should be possible for an organisation to affirm a commitment to data protection, even in the wake of a breach. Because it’s possible for a company to care deeply about privacy and security, to have invested greatly in these areas, and still be breached. Attackers are more skilled and determined, and its challenging to protect data that is everywhere thanks to the use of cloud technologies and third parties.
So we can cut organisations a little slack. But the way forward is not reverting to a catchy set of words alone.
As we learned from the 12-month review of the Notifiable Data Breaches scheme published by the Office of the Australian Information Commissioner , consumers and regulators want (and deserve) to see actions and responses that reflect empathy, accountability and transparency. They expect to see organisations show a genuine commitment to reducing harm, such in the assistance they provide victims after breach. A willingness to continuously update the public about the key details of a breach, and simple advice on what to do about it, also shows a genuine focus on the issue and a willingness to be transparent. And when company leaders are visible and take responsibility, it tells customers they will be accountable for putting things right.
Do these things, and there’s a better chance customers will take your commitment to privacy and security seriously.
Arjun Ramachandran, Principal, elevenM.