How to Communicate a Data Breach: A Guide for Businesses

Data Breach

In today’s digital world, data breaches have become an unfortunate reality for businesses of all sizes, and a single data breach could result in reputational damage, financial losses, and possibly even huge fines for your business.

IBM’s Cost of a Data Breach Report 2023 that has taken learnings from 550 organisations that were hit by a data breach indicates that the global average cost of a data breach in 2023 was USD $4.45 million – or AUD $6.93 million at the current conversion rate.

While the prevention of breaches through adequate cyber security practices is always preferred, sometimes simple human error from an employee – such as a company laptop stolen from vehicle – can result in a disastrous data breach, and if the Privacy Act 1988 covers your organisation or agency, it is compulsory for you to notify affected individuals and the Office of the Australian Information Commissioner

Understanding how to communicate effectively and in-line with regulatory requirements when a data breach occurs is essential.

Detect & identify the data breach

Before communication commences, it is important to understand exactly what has happened and ensure that any additional data loss is prevented.

You’ll need to get answers to the following questions:

  • When was the breach first discovered? And when your response commenced?
  • Who discovered the breach, who reported it and who else knows about it?
  • How did the breach occur?
  • What data has been breached?
  • Is the data that’s been breached identifiable? e. If medical records were released, do they include the patient name or contact information?
  • Who needs to know? Build a list of all relevant stakeholders that need to be communicated with regarding the data breach.  This may include, but not be limited to employees, customers, suppliers, and regulatory bodies such as the Office of the Australian Information Commissioner (OAIC)

Preparing your communication

All stakeholders need to be informed as soon as possible, and transparency is key.  Provide clear and concise information about what happened, avoid technical jargon and use language that will be easily understood by all recipients.

You’ll need to include:

FACTS – Clearly outline the facts about the breach, including the date it was detected, the type of data compromised, and the potential risks to individuals involved.

ACTIONS TAKEN – Describe the immediate steps you have taken to contain the breach and mitigate its effects.  Assure stakeholders that you are actively addressing the situation.

PREVENTATIVE MEASURES – Highlight the measures you’re implementing to prevent similar breaches in the future.  This could include enhanced cybersecurity, employee training, and third-party audits.

ASSISTANCE – Provide guidance on steps that affected individuals can take to protect themselves, such as changing passwords, or monitoring their financial accounts for suspicious activity.

POINT OF CONTACT – Designate you dedicated point of contact for any queries or concerns.  You may consider setting up a dedicated email address for this purpose.  Make sure this information is easily accessible within your communication.

Outside of those key pieces of information, it is also important that you express genuine concern and empathy for the situation as data breaches, depending on their severity, can leave customers feeling quite vulnerable.

Choose your communication channels

Swift communication with your stakeholders is critical, as you need to inform them as soon as possible if they are at risk – and you’d certainly prefer to get ahead of any media coverage.

Email is generally the quickest way to reach your stakeholders, but you may also consider:

  • Website announcement – Post a clear and easily accessible notice on your website’s homepage and link it to a page dedicated to the data breach. Keep the information on your website updated as often as possible, and provide the contact details for your designated point of contact for affected individuals.
  • Social media – A post can be made through your company’s social media channels, and pinned to the top of the feed so that it is the first post seen by visiting users. If you expect a large amount of interaction on that post, have someone closely monitoring the comments and armed ready with standardised responses to frequently asked questions.
  • Press release – If the breach is significant, you may wish to engage a public relations professional to help you draft and issue a press release to inform the public and get ahead of potential media coverage.

Hopefully your business never falls victim to a data breach, but it pays to be prepared just in case.  The OAIC recommends creating a data breach response plan so that you are able to meet your obligations under the Privacy Act, limit the consequences, and preserve and build public trust.

If you’re concerned about cybersecurity within your business, or if you’d like some employee training to help provide a safety net for your business, please contact the Calvert Technologies team today:

Phone:  08 7325 5000

Contact our CET Team today
for a complimentary assessment and consultation