Optus showing how not to handle a data breach as it irritates its customers.
September 26, 2022 |
Rolling out a data breach response is something of a art form in the United States where mandatory data breach notification laws have been part of the regulatory landscape in most states of the Union. Certain types of data breaches, notably involving health information, attract mandatory notifications. Letters to customers and plans to remediate damage are carefully drafted. Australia has no such long term history of being required to respond to data breaches and even under the Breach Notification Regime in Australia notices to clients/consumers/members is not mandatory. It might not even be mandatory to notify the Information Commissioner. The organisation has to make that determination based on the list of factors in Part IIIC of the Privacy Act,
So far Optus is demonstrating how a data breach should not be handled. It dawdled in sending notices, the notice itself was poorly drafted and provided no assistance beyond suggesting customers keep a look out and check various sites.
The media is reporting on annoyance and frustration by customers with the Sydney Morning Herald reporting Frustrated Optus customers get the run around, 2GB’s Optus struggles to explain their data breach in trainwreck interview and Optus customers frustrated after compensation requests denied, phone number change not possible. All of this suggests that Optus either had no or an inadequate data breach notification plan and if it did it didn’t test it with simulations. Data breach plans or incident plans are very important in competently dealing with a data breach. Having a team which can put into place a response is critical.
The examples finding their way on line indicate Optus has no real plan on how to deal with the problem include:
- refusing to compensate a customer for a $15 credit check. It is common in the United States that the organisation will pay for credit checks through a previously organised credit agency;
- offering no help in changing a telephone number with a different provider resulting in a charge of $1,000.
It doesn’t matter that some of the demands may be difficult or unreasonable. If no assistance is offered initially then the door is open to complaints of uncaring.