How to Manage a Crisis Tip #006: Notifying Stakeholders of a Data Breach
On 13 February 2017, the Australian Senate passed a privacy amendment bill which mandates that businesses, government agencies, non-for-profits and individuals are now required by law to notify the Office of the Australian Information Commissioner and all affected individuals (consumers, customers, staff etc.) of any data breach.
The new law will come into affect sometime this year and will apply to all organisations who are already subject to the Privacy Act.
What are the consequences of not complying?
In our experience, the truth is always going to come out eventually anyway – and your stakeholders are going to be disappointed if they only hear of a breach from somewhere other than you. There’ll be an immediate lack of trust in you.
Irrespective of that, it’ll soon be illegal not to notify them – and the penalties can be up to $1.8million in fines.
What should you do?
If you haven’t already written a Crisis Communications Plan – write one now before it’s too late.
These are our stakeholders
This is who, what, when, how we will contact them
This is what we’ll say
Establish the facts
What we know
What we don’t know
What we’re doing about it
What we want you to do
Make sure you have those message templates ready to go depending on incident type