On 11 April 2016, the Office of the Australian Information Commissioner (“OAIC”) released a guide to developing a data breach response plan (“Guide”) aimed at entities regulated by the Privacy Act 1988 (Cth). The OAIC emphasised that the Guide is not legally binding.
For organisations bound by the Australian Privacy Principles (“APPs”), the Guide is potentially a useful tool in anticipating what needs to occur in the event a breach of privacy occurs. If an organisation has established and follows a data breach response plan, this may be taken into account when the Commissioner assesses whether the organisation has complied with its obligations to take reasonable steps to keep personal information secure.
This alert summarises the key points of the OAIC’s guide (the full guide can be downloaded from the OAIC’s website here).
What is a data breach?
The Guide defines a data breach as an event where personal information held by an entity is lost or subjected to some unauthorised event, such as access, modification, disclosure or other misuse or interference. A ‘data breach’ may also breach the APPs or the Privacy (Credit Reporting) Code 2014 (“CR Code”), depending on the circumstances.
Why have a plan?
The OAIC emphasises that the actions in the first 24 hours after discovering a data breach are often crucial in whether the response to a data breach is successful. A timely response generally lessens the impact on affected individuals. High profile data security breaches, such as the theft of millions of customers’ credit card details from US Target in 2013, highlight that a proactive approach to data security and responding to data breaches, help to mitigate the loss and damage suffered by those affected.
Additionally, having a clear data breach response plan in place will generally help to demonstrate compliance with the APPs and will assist in protecting important business assets, such as customer trust and confidence in the entity.
What is the plan?
According to the OAIC, the plan is a framework that establishes roles and responsibilities for managing an appropriate response to an actual or suspected data breach. It also describes what actions the entity should take in managing a breach.
It will likely include actions to be taken if a breach is suspected, discovered or reported (including escalation to a special ‘response team’), a description of the members of the data breach response team and the actions this team will take.
The OAIC recommends that the plan is regularly reviewed and tested to ensure that it is current and staff know what actions to take and when. Infrequent reviews are a significant impediment (according to the OAIC) to the effectiveness of such plans, and the OAIC recommends that hypothetical situations are created and used to test the plan’s effectiveness. As an example only, the OAIC has published its data breach response plan on its website (click here).
What should the plan contain?
The OAIC recommends that the plan should contain the following:
- a clear explanation of what comprises a data breach, to enable staff to readily identify a potential or actual breach;
- a strategy for assessing, managing and containing suspected or confirmed data breaches;
- a clear and immediate communications strategy to allow for prompt notification of affected individuals and other relevant entities (including the OAIC, if required);
- clear reporting lines and processes for escalation to the response team;
- how to record data breaches; and
- a system for a post-breach review and assessment of response.
Response team membership
The OAIC recommends that the membership of the response team is settled in advance of any actual or suspected data breach. The membership will depend on your business and the nature of the breach, as differing skill sets may be needed to respond to one breach compared to another breach. External experts (such as lawyers, data forensics and media managers) may also be required. The plan should include the current list of team members with contact details updated.
Actions the response team may take
The response team may be required to contain the breach and undertake a preliminary assessment of the damage, evaluate the risks associated with the breach, coordinate notification of affected parties and take steps to prevent future breaches.
The OAIC also suggests that entities consider whether the data breach response plan should be linked into or be incorporated into other risk management practices and procedures, such as a disaster recovery plan, a cyber-security or ICT incident response plan or a crisis management plan. Additionally, entities may wish to look at procuring insurance policies that protect the entity from suffering loss as a result of a data breach. Insurers may impose their own requirements on their insured that must be followed in the event of a notified claim.
The OAIC included a one-page checklist that helps entities keep track of whether the response plan meets the OAIC’s suggested criteria. The checklist can be reviewed here.
The rising tide of high profile data breaches over the last two years emphasises that organisations regulated by the Privacy Act 1988 (Cth) should consider their position if they suffer a data breach. The data breach response plan is one part of the toolkit organisations should build in order to maximise compliance with their statutory obligations.