Catch of the Day’s failure to inform users of a data breach that occurred three years ago suggests the online retailer didn’t have a response plan, and may do the brand some harm. This is the view of Matthew McMillan, a partner at law firm Henry Davis York, who said it’s vital that organisations dealing heavily with personal information are sophisticated enough to have a plan in place. This triggers the need to immediately notify affected users. Catch of the Day, a large Australian daily deals website, last week informed users of a data breach in May 2011, which saw encrypted passwords and user information stolen from the company’s database. A small number of customers also had credit card data stolen. “When you look at the fact that individuals are only being notified three years down the track [it] suggests that they weren’t sophisticated enough to have a data breach response plan in place,” said McMillan. “If there’s the ability to … restore an individual’s control over that personal information – which there would be if you notify them sooner rather than later – at least they can be cancelling credit cards and changing account details. “They are the types of triggers where notification can really be essential in helping individuals to regain control of their personal data.” McMillan said the new Australian Privacy Principles, which came in effect in March, are founded on companies being open and transparent with individuals around the management of their information. Failing to do that has significant ramifications for any brand, he said. Last year, Henry Davis York and the Office of the Australian Information Commissioner sponsored a survey on community attitudes to privacy. “I think the results are quite telling. When you look at Internet and social media sites, there is not the same level of trust that you would see if you were dealing with, for example, financial services institutions or government,” he said. “The trust associated with a lot of brands, particularly in the social media context, I think there’s a question mark there for a lot of the community.” McMillan said often it’s only when there’s a significant data breach that some companies wake up to the potential ramifications. “Particularly in light of the fact that we don’t at the moment have mandatory data breach notification legislation,” he said. A bill introduced by the previous Labor government to force companies to disclose data breaches has stalled in the Senate. However, privacy principle 11 under the new Australian Privacy Principles does require organisations to take reasonable steps to protect information from misuse, interference and loss. “Reasonable steps in those circumstances could involve having a data breach response plan, which includes notifying affected individuals.” McMillan said scenarios such as the Catch of the Day breach increases the need for mandatory data breach legislation to come into play. “I know that the Office of the Australian Information Commissioner is a proponent of that type of legislation. There’s also been a lot of international pressure on Australia to move towards data breach notification. “It is implemented in a number of other jurisdictions worldwide. Attorneys general in the US, UK, Canada, and New Zealand have all been applying pressure for mandatory data breach notification here in Australia.” Follow CIO Australia on Twitter and Like us on Facebook… Twitter: @CIO_Australia, Facebook: CIO Australia, or take part in the CIO conversation on LinkedIn: CIO Australia Follow Byron Connolly on Twitter:@ByronConnolly Related content Opinion How can CIOs protect Personal Identifiable Information (PII) for a new class of data consumers? Enterprises and data owners must ensure customer data privacy while training their machine learning models. Let us learn how. By Yash Mehta Mar 22, 2023 10 mins Data Privacy Data Science Machine Learning News ServiceNow continues workflow platform expansion with Utah release The company also doubles down on its customer success automation efforts, but bucks the trend by omitting GPT. By Peter Sayer Mar 22, 2023 7 mins CIO Build Automation Enterprise Architecture BrandPost Don’t buy into the hype of network observability to realize digital transformation success Just collect the right data and follow it to where it leads you. By Jeremy Rossbach, Chief Technical Evangelist, Broadcom Mar 22, 2023 3 mins Networking Feature How culture and strategic partnerships help fuel transformation Marc Hale, CTO for AIA New Zealand, recently spoke with Cathy O’Sullivan, editor for CIO New Zealand, about navigating the complexities of digital transformation, and focusing on culture to enable healthier outcomes for customers. By CIO staff Mar 22, 2023 7 mins CTO Digital Transformation Change Management Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe