Does your business have processes in place to handle data breaches? Have you considered the consequences for your business if the personal information you hold is hacked, inadvertently disclosed or stolen?
If your business holds personal information, then you are susceptible to data breaches involving such information. Data breaches are not limited to malicious actions, such as theft or ‘hacking’, but may arise from internal errors or failure to follow information handling policies that cause accidental loss or disclosure. Some examples include laptops, smart phones or USB devices being lost or stolen, databases being hacked or otherwise illegally accessed, inadvertent and accidental disclosure, or unauthorised disclosure by employees.
Your business has obligations under the Privacy Act to take reasonable steps to protect the personal information you hold from misuse, interference and loss, and from unauthorised access, modification or disclosure. Generally, these steps will include the planning and implementation of a data breach policy and response plan.
The following steps are an abridged version of the suggested responses to data breaches as outlined by the Office of the Australian Information Commissioner in the OAIC’s data breach notification guidelines.
Step 1: Contain the breach and do a preliminary assessment
First of all, take whatever steps possible to immediately contain the breach, for example, recover the affected records, change information access privileges, and assess whether steps can be taken to mitigate the harm an individual may suffer. Then appoint someone to carry out the initial investigation, gather any necessary information and make initial recommendations.
Step 2: Evaluate the risks associated with the breach
In order to assess the risks, you should consider the following factors:
- The type of personal information involved. For example, government-issued identifiers (e.g. Medicare numbers) and financial numbers (e.g. credit card numbers) might pose a greater risk to the individual than their name or address.
- The context of the affected information and the breach. This might affect the information’s sensitivity, for example, a client’s health history and medical conditions might be particularly sensitive.
- The cause and extent of the breach. For example, the risk of harm to an individual might be more where the breach is intentional or malicious, rather than unintentional or accidental.
- The risk of serious harm to the affected individuals. For example, the possibility of identity theft, financial loss or threat to physical safety and emotional wellbeing.
- The risk of other harms. For example, reputational damage, extortion and legal liability.
Step 3: Notification
You should consider the particular circumstances of the breach and decide whether to notify affected individuals (i.e. whether such notification is necessary to avoid or mitigate serious harm) and, if so, consider:
- when and how notification should occur, who should make it and who should be notified;
- what information should be included in the notification; and
- who else should be notified, for example, the OAIC, the police and insurers.
When certain sensitive information is involved or there is a risk of serious harm to affected individuals, it may be appropriate to notify the affected individuals immediately. If the data breach is likely to involve a real risk of serious harm to individuals, or receive a high level of media attention, it might be appropriate to inform the OAIC.
Step 4: Prevent future breaches
You then need to take steps to investigate the cause of the breach and consider whether to review your existing prevention plan or, if there is no plan, develop one.
A prevention plan may include a security audit, a review of policies and procedures, a review of employee selection and training practices and a review of service delivery partners (for example, offsite data storage providers).
The following are suggested preparations for responding to a data breach:
- Develop a breach response plan.
- Establish a breach response team.
- Identify relevant service providers.
- Enhance internal communication and training.
- Enhance transparency.
In an age of cloud storage, it is also important to note that your data could be moving across borders and being stored in multiple locations worldwide. You should also consider how your response and legal obligations might differ given this geographical diversity.
The complete guide to handling personal information security breaches can be found on the OAIC’s website.