Data breaches are on the rise; in frequency and impact. Latest statistics state that since January 2019, Australian entities have reported over 215 eligible data breaches, with one such breach affecting over 10 million individuals. Recent incidents have shown that when a data breach (which is likely to cause serious harm) occurs, it is important to notify affected individuals transparently and appropriately.

Canva data breach

Australian technology company Canva recently experienced a cyberattack that saw the usernames, emails and passwords of approximately 139 million users stolen when a hacker gained access to Canva's systems. Canva initially notified customers via email, however this notification has been criticised by several industry players.

The criticism revolves around the security incident notification content being subsumed within the broader marketing content of the email. By not giving sufficient emphasis to the security breach, it is argued that many customers would not have adequately read the email, and therefore would not have been properly notified of the data breach.

Canva has subsequently released a more succinct message across its website and social media channels disclosing the details of the breach more emphatically and continues to maintain an ongoing status update of the breach investigation as it unfolds.

Principles of breach notification

The Office of the Australian Information Commissioner (OAIC) recently released a report (see our previous insight here), reminding organisations of the key principles for breach notification which, if followed, would have aided Canva’s disclosure efforts.

When providing a notification, entities should remember the following:

• Incident Plan – given the increasing prevalence of data breaches, organisations should prepare by having an incident response plan in place before a security incident occurs. This includes having adequate processes for incident notification in place for when a breach occurs.  
• Transparency and simplicity are key – the OAIC stated that data breach incidents should be communicated in plain English, outlining in simple terms what happened and the steps that individuals need to take to protect themselves. 
• Messaging and timing – the OAIC urges organisations to consider the issues that could arise from mixed messages and poor timing.
  • For example, as was the case in the Canva incident, notifications should not be buried in communications where the main message is not highlighting the security incident. 
  • Notifications issued before a weekend or public holiday might not be given proper attention by recipients. 
  • While appropriate timing is important, entities should remain aware of their obligation to provide the notification as soon as practicable after the incident occurs.
• Microsites – it is becoming best practice to establish and maintain a microsite with dedicated support channels to enable individuals to ask questions and learn more about how to protect themselves. 
• Notification content – at a minimum, we recommend that a notification include:
  • the entity's contact details (including any details of other entities that hold the same information as that which was breached – for example entities in a shared services arrangement);
  • a simple description of the data breach;
  • identify the kind of information that was compromised;
  • outline the steps taken by the entity to mitigate the damage; and
  • set out the steps that individuals should take to protect themselves from any harm that may arise from the breach.
• It is also recommended to notify and provide a copy of this notification to the OAIC, so that any disclosure issues can be identified and remedied as soon as possible. 
• Social channels – to ensure transparency, it may be beneficial to publish the notification prominently on the relevant webpage and post announcements on all social media channels. This was ultimately the method employed by Canva.

For more information on how to prepare your organisation for a data breach incident, you can view the OAIC’s "Data breach preparation and response guide" here. 

Written by Lesley Sutton, Rosalind Moffatt and Robert O’Grady