Data breach incidents are an unfortunate reality of 21st century life. A recent study of data breach incidents in Australia found that, on average, a cyber breach costs business $2.82 million to rectify.
Apart from the financial costs, there are other compelling reasons why businesses should take data breach management seriously. Not to mention that the Federal Government has just released a draft bill that would require businesses to notify the Federal Privacy Commissioner and affected individuals of serious data breaches involving personal information. Read more here.
You can take steps to protect your business from data breaches and reduce their impact if they occur.
In this article we outline five actions to better data breach management. Following these steps will also help your business comply with the Privacy Commissioner’s voluntary guidelines on data breach notification, and prepare for the potential introduction of mandatory notification requirements in Australia.
ACTION 1: TAKE STOCK OF WHAT DATA YOUR BUSINESS HOLDS
It is essential the decision makers in your business understand (and monitor) the types and amount of personal information that the business holds, and how/where that information is stored.
Under the Privacy Act, entities are responsible for the security of any records containing personal information (whether physical or electronic) that are in the entity’s possession or control. This can include information that is processed or stored by external service providers (including cloud storage providers). Particular care should also be taken to identify and manage archived and backup copies of data.
Your business’ risk and compliance governance procedures should incorporate regular reporting on information security and data storage issues so that management has appropriate visibility of any risks and can take a co-ordinated approach to manage them. These matters should be reported on at the most senior levels of governance in an organisation.
ACTION 2: REVIEW YOUR CONTRACT TERMS WITH SERVICE PROVIDERS
Your business should have appropriate operational procedures (and contractual rights) in place so that you can promptly and accurately identify and assess any security breaches affecting your data, regardless of whether the breach is suffered by you or your service provider.
Ideally, contracts should include a clause requiring the service provider to immediately notify the customer of any security breaches affecting the customer’s data, and to co-operate with the customer in connection with the management of the breach.
You should also seek to ensure that the contractual trigger for notification operates on an objective basis, and is not subject to an assessment of severity by the service provider.
The cost of managing data breaches should also be addressed in the contract. The contract should include appropriate liability positions, indemnity obligations and insurance requirements.
ACTION 3: ENCRYPT YOUR DATA AND REVIEW YOUR INFORMATION SECURITY PRACTICES
The Privacy Commissioner recognises that it is not possible (nor required under the Privacy Act) for businesses to design completely impenetrable security systems. Rather, organisations are required to implement information security measures that are “reasonable” in the circumstances (based on factors such as the nature of the business and the amount and sensitivity the personal information held).
The Privacy Commissioner says that determining whether a reasonable security measure has been put in place should not be judged solely by reference to the expense of the implementation.
A good information security program should incorporate both proactive and reactive risk management – it should:
- help you to prevent unauthorised access/disclosure or loss of data (e.g. firewalls, network security, malware detection and prevention software); and
- reduce the risk posed to affected individuals when breaches do occur (e.g. passwords, data encryption and database segregation techniques, which make it more difficult for hackers to use data extracted from your systems).
Implementing sufficiently strong reactive security measures (such as an adequate level of data encryption) could potentially save you from having to notify, as the proposed Australian data breach notification regime would allow businesses to consider factors such as “whether the information is in a form that is intelligible to an ordinary person” and “whether the information is protected by security measures” when determining whether a data breach is “serious” (thereby triggering the notification requirement).
ACTION 4: IMPROVE YOUR BREACH DETECTION PROCESSES
It’s critical to identify data breach incidents quickly so that remedial steps and notifications can be performed in a timely manner. The notification requirements under the proposed mandatory data breach notification regime will apply to any serious data breaches that the organisation “ought reasonably to be aware of”.
Businesses can consider breach detection measures such as:
- network security tools, which act as a “security alarm” for your IT systems (e.g. intrusion detection software to monitor unauthorised access, and data loss prevention software to scan outbound e-mails sent by staff);
- regular security testing to identify potential weak spots – this could include technical testing (such as network penetration testing) and operational readiness testing (such as training exercises for staff that simulate phishing attacks); and
- training for staff to identify and report errors in handling personal information.
ACTION 5: HAVE A DATA BREACH MANAGEMENT RESPONSE PLAN IN PLACE
Your business should have a clear data breach plan in place that sets out a strategy for identifying and remedying the source of a data breach. The plan should also identify key responsible personnel, and set out the procedures for determining whether notice should be given of the breach.
A good starting point in designing the plan would be to refer to the Government’s draft bill on the proposed mandatory data breach notification regime. The Privacy Commissioner has also published a range of guidance materials on data breach management, and is currently in the process of public consultation on a draft Guide to Developing a Data Breach Response Plan (although it should be noted that the consultation draft of the Guide was released prior to the draft bill, and so does not currently reflect the proposed mandatory data breach notification regime).
Businesses should also consider having a list of “go-to” subject matter experts that can be engaged at short notice to assess the severity of the breach, advise on steps on containment and risk mitigation and determine whether notification is required.