116 Gawler Place, Adelaide SA 5000 1800 818 875 [email protected]

Should you tell your customers if you have been hacked?

Should you tell your customers if you have been hacked?

There are many facets to address when dealing with a cyber attack. This include the ‘technical’ side, as well as the ‘legal obligations.’ But what about the ethical side?

If your company falls victim to an attack, should you inform your customers?

The answer is… yes… but it’s a bit more complicated!

Your legal obligations when you’ve been hacked

In Australia, the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 delineates clear legal obligations for entities in the wake of a data breach. This scheme is designed to protect individuals’ privacy and personal information, emphasising the need for transparency and immediate action following a breach.

Who does this apply to: The NDB scheme requires entities that are covered by the Privacy Act 1988—including most Australian Government agencies, businesses, and non-profit organisations with an annual turnover of more than $3 million, as well as some small business operators

Notification Criteria: The obligation to notify arises when there’s reasonable belief of serious harm due to unauthorised access to, disclosure of, or loss of personal information. Entities must assess the situation within 30 days to determine the breach’s severity. For example, a hacker steals personal information from a business about their customer’s details.

Notification Process: Affected entities are required to inform both the Australian Information Commissioner and the individuals impacted by the breach. This notification must include guidance on steps the individuals should take to mitigate potential harm, reinforcing the scheme’s goal of empowering individuals to protect themselves.

Consequences of Non-Compliance: Failing to adhere to the NDB scheme can result in substantial penalties.

In essence, the NDB scheme forces companies to take responsibility and provide transparency in handling personal information.

However, there are companies that are not legally required to disclose when their data has been hacked.

So should you still inform you customers?

Customer Hacked

An ethical choice: informing the victims

Beyond legal requirements, there exists an ethical obligation to notify those impacted by a data breach. It is also about respect and transparency. Any time your customer’s data is compromised, you should strongly considering informing all impacted persons to ensure they can take any required actions to protect themselves.

This approach acknowledges that people deserve to know when their personal data is compromised. It also shows your business:

Upholds Ethical Standards: Promptly informing affected individuals about a breach is a clear demonstration of a business’s commitment to ethical principles, highlighting a respect for privacy and the trust customers place in an organisation.

Believes In Transparency: Transparency in the wake of a breach can fortify the trust between customers and businesses. It reassures customers that their welfare is taken seriously and that measures are in place to mitigate any potential damage.

Puts Your Customers First: Notifying individuals about a breach equips them with essential information to protect against consequences like fraud. This empowerment is a testament to a business’s ethical stance, prioritising customers’ security and rights.

To ensure you inform your customers efficiently, it’s worth having templates and plans in pace just in case.  This can all start with an Incident Response Plan. If you don’t have one, download ours for free!

Fraud Blog Image 1

Is there ever a good time to keep quiet about a cyber breach?

If your data breach involves customer data, we highly recommend you consider telling your customers.

However, in the scenario where no customer data is compromised, the criteria for notifying customers under Australia’s Notifiable Data Breaches (NDB) scheme might not apply. Here are some scenarios where a company might not be required to inform customers about a cyber breach or attack:

  1. Internal Data Compromise: If the breach only affects internal company documents or confidential information not related to customers or their personal data, the obligation to notify under the NDB scheme may not be triggered.

  2. Ransomware Without Data Exfiltration: In instances where ransomware attacks lock access to company files without extracting data, and there’s no evidence that any customer data was accessed or compromised, notification may not be necessary.

  3. Blackmail Targeting Non-Customer Information: If attackers threaten to release or destroy internal company information (e.g., proprietary business information, internal policies, etc.) without involving or risking customer personal information.

  4. Successful Containment Before Risk to Customer Data: If a cyber attack is detected and contained swiftly, ensuring that no customer data was accessed, disclosed, or otherwise compromised, the company might not need to notify customers, focusing instead on internal remediation and security reinforcement.

  5. Attack on Non-Personal Data Assets: Cyber attacks targeting assets unrelated to personal data, such as operational technology systems or machinery that do not store or process customer information, would not typically necessitate customer notification.

  6. Invoice Fraud: This occurs when attackers deceive a company into paying fake invoices by impersonating a legitimate vendor or partner. Since this type of fraud typically targets the financial transactions between businesses and their suppliers without affecting customer data, it may not necessitate customer notification.

  7. Business Email Compromise (BEC): BEC attacks involve the fraudulent takeover or imitation of company email accounts to manipulate employees into transferring money or revealing sensitive company information. As BEC scams generally focus on deceiving the company’s staff and do not involve accessing or compromising customer data, notifying customers might not be required under the NDB scheme.

In these cases, the cyber incidents have significant implications for business operations, financial integrity, and competitive positioning but do not directly impact customer personal information. The primary concern for businesses in such scenarios is to address and mitigate the breach’s effects internally, secure their operations, and prevent future incidents. However, it remains essential for businesses to thoroughly assess the impact of any breach, ensure that no customer data was indirectly affected, and consider the broader implications for customer trust and business reputation when deciding on disclosure.

Essential 8-image3

Best option: Stop attacks in their tracks!

Ultimately, as a business owner, you never want to be in the position where you need to assess if a breach will ‘do harm’ to your customers.

Thus, the most effective strategy is preventative—implementing cyber security measures to minimise your risk of attacks before they happen.

This involves implementing cyber security measures such as regular updates to software and systems, employee education on cyber threats, enforcing strong password management, and ensuring cyber focused policies and procedures.

While these steps are a great start, navigating cyber security can be challenging, especially for small businesses without dedicated IT departments. Engaging with cyber security specialists like Jam Cyber can provide solutions and expert guidance, helping businesses strengthen their defenses, maintain customer trust, and meet their legal and ethical obligations.

Find out more about how we can protect your business with our range of packages designed for Australian SME’s.

// Need more help?

Contact our team today.

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

    Related Posts:

    Google Rating
    Based on 36 reviews
    Have questions? Search our knowledgebase.