It can happen to any company. Data breaches aren’t limited to targeted attacks like thefts or hackings, and can arise from far less exciting internal errors like good old simple mistakes (think typing in the wrong email address and hitting send on a customer list…). It pays to be prepared and the Privacy Commissioner has recently released guidance on how to do just that. First step is developing a Data Breach Response Plan.
Under the Privacy Act, organisations have an obligation to ensure the security and integrity of the personal information they hold. This includes protecting that information from misuse, interference and loss as well as from unauthorised access, modification or disclosure. Fines apply for breaching the Act so it pays to read on.
The Privacy Commissioner has suggested that part of ensuring compliance with those obligations can include the preparation of a Data Breach Response Plan and has recommended that all entities have one. The Commissioner has added that, along with assisting with compliance with the Privacy Act, the plan can help:
- protect and manage client information and your company’s reputation in the event of a breach;
- deal with adverse media or stakeholder attention; and
- instil public confidence in your capacity to protect personal information by properly responding to a breach.
At present, there’s no legislative obligation to notify to the Privacy Commissioner of a breach, however, proposed changes to the Privacy Act could soon see that change. In the meantime, the Commissioner ‘strongly encourages’ organisations to report serious data breaches.