Catch of the Day’s failure to inform users of a data breach that occurred three years ago suggests the online retailer didn’t have a response plan, and may do the brand some harm.
This is the view of Matthew McMillan, a partner at law firm Henry Davis York, who said it’s vital that organisations dealing heavily with personal information are sophisticated enough to have a plan in place. This triggers the need to immediately notify affected users.
Catch of the Day, a large Australian daily deals website, last week informed users of a data breach in May 2011, which saw encrypted passwords and user information stolen from the company’s database. A small number of customers also had credit card data stolen.
“When you look at the fact that individuals are only being notified three years down the track [it] suggests that they weren’t sophisticated enough to have a data breach response plan in place,” said McMillan.
“If there’s the ability to ... restore an individual’s control over that personal information – which there would be if you notify them sooner rather than later – at least they can be cancelling credit cards and changing account details.
“They are the types of triggers where notification can really be essential in helping individuals to regain control of their personal data.”
McMillan said the new Australian Privacy Principles, which came in effect in March, are founded on companies being open and transparent with individuals around the management of their information.
Failing to do that has significant ramifications for any brand, he said.
Last year, Henry Davis York and the Office of the Australian Information Commissioner sponsored a survey on community attitudes to privacy.
“I think the results are quite telling. When you look at Internet and social media sites, there is not the same level of trust that you would see if you were dealing with, for example, financial services institutions or government,” he said.
“The trust associated with a lot of brands, particularly in the social media context, I think there’s a question mark there for a lot of the community.”
McMillan said often it’s only when there’s a significant data breach that some companies wake up to the potential ramifications.
“Particularly in light of the fact that we don’t at the moment have mandatory data breach notification legislation,” he said.
A bill introduced by the previous Labor government to force companies to disclose data breaches has stalled in the Senate.
However, privacy principle 11 under the new Australian Privacy Principles does require organisations to take reasonable steps to protect information from misuse, interference and loss.
“Reasonable steps in those circumstances could involve having a data breach response plan, which includes notifying affected individuals.”
McMillan said scenarios such as the Catch of the Day breach increases the need for mandatory data breach legislation to come into play.
“I know that the Office of the Australian Information Commissioner is a proponent of that type of legislation. There’s also been a lot of international pressure on Australia to move towards data breach notification.
“It is implemented in a number of other jurisdictions worldwide. Attorneys general in the US, UK, Canada, and New Zealand have all been applying pressure for mandatory data breach notification here in Australia.”
Follow Byron Connolly on Twitter:@ByronConnolly