Business Cyber Security delivered via Cloud
Free Call:
Email:
Company Address:
116 Gawler Place
Adelaide SA 5000
Postal Address:
PO Box 1235,
Glenelg South SA 5044
Copyright © 2024 | Magnetic Alliance Cyber Pty Ltd | Designed by Magnetic Alliance
Should you tell your customers if you have been hacked?
There are many facets to address when dealing with a cyber attack. This include the ‘technical’ side, as well as the ‘legal obligations.’ But what about the ethical side?
If your company falls victim to an attack, should you inform your customers?
The answer is… yes… but it’s a bit more complicated!
Your legal obligations when you’ve been hacked
In Australia, the Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988 delineates clear legal obligations for entities in the wake of a data breach. This scheme is designed to protect individuals’ privacy and personal information, emphasising the need for transparency and immediate action following a breach.
Who does this apply to: The NDB scheme requires entities that are covered by the Privacy Act 1988—including most Australian Government agencies, businesses, and non-profit organisations with an annual turnover of more than $3 million, as well as some small business operators
Notification Criteria: The obligation to notify arises when there’s reasonable belief of serious harm due to unauthorised access to, disclosure of, or loss of personal information. Entities must assess the situation within 30 days to determine the breach’s severity. For example, a hacker steals personal information from a business about their customer’s details.
Notification Process: Affected entities are required to inform both the Australian Information Commissioner and the individuals impacted by the breach. This notification must include guidance on steps the individuals should take to mitigate potential harm, reinforcing the scheme’s goal of empowering individuals to protect themselves.
Consequences of Non-Compliance: Failing to adhere to the NDB scheme can result in substantial penalties.
In essence, the NDB scheme forces companies to take responsibility and provide transparency in handling personal information.
However, there are companies that are not legally required to disclose when their data has been hacked.
So should you still inform you customers?
An ethical choice: informing the victims
Beyond legal requirements, there exists an ethical obligation to notify those impacted by a data breach. It is also about respect and transparency. Any time your customer’s data is compromised, you should strongly considering informing all impacted persons to ensure they can take any required actions to protect themselves.
This approach acknowledges that people deserve to know when their personal data is compromised. It also shows your business:
Upholds Ethical Standards: Promptly informing affected individuals about a breach is a clear demonstration of a business’s commitment to ethical principles, highlighting a respect for privacy and the trust customers place in an organisation.
Believes In Transparency: Transparency in the wake of a breach can fortify the trust between customers and businesses. It reassures customers that their welfare is taken seriously and that measures are in place to mitigate any potential damage.
Puts Your Customers First: Notifying individuals about a breach equips them with essential information to protect against consequences like fraud. This empowerment is a testament to a business’s ethical stance, prioritising customers’ security and rights.
To ensure you inform your customers efficiently, it’s worth having templates and plans in pace just in case. This can all start with an Incident Response Plan. If you don’t have one, download ours for free!
Is there ever a good time to keep quiet about a cyber breach?
If your data breach involves customer data, we highly recommend you consider telling your customers.
However, in the scenario where no customer data is compromised, the criteria for notifying customers under Australia’s Notifiable Data Breaches (NDB) scheme might not apply. Here are some scenarios where a company might not be required to inform customers about a cyber breach or attack:
In these cases, the cyber incidents have significant implications for business operations, financial integrity, and competitive positioning but do not directly impact customer personal information. The primary concern for businesses in such scenarios is to address and mitigate the breach’s effects internally, secure their operations, and prevent future incidents. However, it remains essential for businesses to thoroughly assess the impact of any breach, ensure that no customer data was indirectly affected, and consider the broader implications for customer trust and business reputation when deciding on disclosure.
Best option: Stop attacks in their tracks!
Ultimately, as a business owner, you never want to be in the position where you need to assess if a breach will ‘do harm’ to your customers.
Thus, the most effective strategy is preventative—implementing cyber security measures to minimise your risk of attacks before they happen.
This involves implementing cyber security measures such as regular updates to software and systems, employee education on cyber threats, enforcing strong password management, and ensuring cyber focused policies and procedures.
While these steps are a great start, navigating cyber security can be challenging, especially for small businesses without dedicated IT departments. Engaging with cyber security specialists like Jam Cyber can provide solutions and expert guidance, helping businesses strengthen their defenses, maintain customer trust, and meet their legal and ethical obligations.
Find out more about how we can protect your business with our range of packages designed for Australian SME’s.
// Need more help?
Contact our team today.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Related Posts:
Cyber CEO – How to Secure your Passwords Using Password Management
Cyber CEO – How to secure your passwords Using Password Management The importance of securing our passwords cannot be overstated. Cyber attacks often begin with
Cyber CEO – Phishing Emails and How Do They Work?
Cyber CEO – Phishing Emails Welcome to our phishing guide, a scam where people are tricked into giving personal information through fake emails and sites.
Cyber CEO – What is Log4J hack?
Cyber CEO – What is Log4J hack? In this video, we dive into the Log4j hack, a significant vulnerability that emerged in December and was
Cyber CEO – Managed Services Provider (MSP)
Cyber CEO – Managed Services Provider Welcome to Cyber CEO! This video provides an overview of Managed IT Services and their role in enhancing business
Recent Posts
Categories