It’s good to talk about privacy breaches
We would like to share some recent anecdotal evidence to remind organisations of the mutual benefits of having a genuine and effective communications strategy as part of a response to a privacy breach. This is something that forms part of our guidance to relevant stakeholders but, rather than just taking our word for it, we thought it’d be useful to learn from the experiences of organisations that have benefitted from this approach.
Of course, we understand that when a potentially serious privacy breach occurs it often creates stressful situations. There may be, for example, panic in the air; phones ringing off the hook; and frantic typing of ‘how to retrieve an email sent to the wrong person’ into a Google search.
In such circumstances, there can be a temptation to attempt to quickly rectify the breach internally and to simply hope that there are no external repercussions. This can be borne out of a fear of, for example, media attention, difficult phone calls with affected individuals or a barrage of complaints. Fair enough you might think; after all, who wants to be shouted at over the phone, right?
Wrong.
This burying of heads in the sand usually proves to be counter-productive. Our experience has shown that a fundamental aspect of dealing with a privacy breach in the most efficient and effective manner is, in fact, to ensure that good communication with affected individuals is a cornerstone of an organisation’s response to a privacy breach. This means communicating on an ongoing basis with affected individuals in a way that is honest, responsive and empowering.
As such, we recommend that where a privacy breach creates a risk of harm to an affected individual, the organisation should notify that individual (after the breach has been contained and the risks have been assessed). This allows the individual to take steps to mitigate any harm. It also demonstrates that the organisation takes privacy issues seriously and that it is doing the right thing. We also encourage organisations to notify our office of significant privacy breaches so that we are aware of the breach and can offer assistance as well as handle any related enquiries or complaints.
In a number of recent privacy breaches that were brought to our attention, organisations have reaped the rewards of prioritising their communications with affected individuals. One organisation highlighted to us that it greatly benefitted from the strategy of having staff at a very senior level contact affected individuals to clearly explain what had occurred and what was being done to address the breach. A number of organisations have followed up notification by setting up temporary dedicated hotlines so that affected individuals could easily access information about the breach.
One privacy officer summed up the benefit of these approaches by stating that a concerted effort in dealing with the ‘front end’ of a privacy breach in such ways ended up saving a lot of work in the ‘back end’. It has also been opined that effective communication is valuable in terms of rebuilding a sense of trust with individuals who have been affected by a privacy breach.
Indeed, our office has observed that where an organisation communicates well with affected individuals, we are less likely to receive enquiries or complaints about the organisation in respect of the breach.
This seems to be a matter of common sense. Where an individual feels that an organisation has been open and honest; that their concerns have been listened to and that the organisation is committed to making the necessary changes to minimise the chances of a reoccurrence then that individual will, logically, be less inclined to feel that a complaint is warranted.
Given the benefits of effective communication, organisations should give serious consideration to preparing data breach response plans which include communication strategies.
If your organisation would like further information on responding to privacy breaches, please visit the Guidelines section of our website or contact us on 1300 00 6842
This article was written by Dermot Dignam, Assurance and Legal Policy Advisor, Office of the Victorian Information Commissioner. This post does not necessarily reflect the views of OVIC.