If your organisation has a breach of data security what should you do?

How an organisation behaves after a breach of data security seems to have a significant impact on the outcome of any subsequent investigation by a privacy oversight body.

In June this year, the Australian Privacy Commissioner released a report into a breach of data security by Adobe.

In 2013, Adobe suffered a cyber-attack that affected at least 38 million customers worldwide, including 1.7 million Australians.  Whilst Adobe had multi-layered and sophisticated security measures in place, the attack took advantage of a back-up server designated to be decommissioned which was not fully protected.

The Commissioner considered the application of National Privacy Principle (‘NPP’) 4.1, which required Adobe to take reasonable steps to protect the data of customers.

The Commissioner commented that reasonable steps did not require an organisation to design an impenetrable system but its measures must adequately address known risks.  On the facts, Adobe had adequate security measures but these measures were not implemented in all areas, namely the back-up server in question.  The Commissioner found that Adobe had a breach in NPP4 by failing to take reasonable steps.

After the data security breach, Adobe took comprehensive steps, including:

  1. a fast and wide spread notification of the data breach to customers;
  2. reasonable steps to strengthen security; and
  3. an independent audit to show that the additional security steps have been implemented.

The Commissioner did not impose a fine or other sanction on Adobe.  It would appear the take home message from this matter is that if a data breach does occur then a penalty may be avoided by your organisation following the three abovementioned steps.