A number of recent, high-profile cases illustrate the financial and reputational damage that can occur when data goes astray. Given the widespread use of personal information in today’s digital society, the issue of managing data security breaches is now squarely on the agenda for agencies who are looking to avoid the reputational and financial implications of a data breach.
Causes of data breaches
There are many ways that a data breach can occur. Some examples include:
- lost or stolen laptops, removable storage devices or paper recordings containing personal information
- hard drives and digital storage media being disposed without contents being erased first
- databases containing personal information being hacked into, and
- paper records being taken from insecure recycling or garbage bins.
Given the variety of ways in which data breaches can occur agencies should put procedures in place to minimise the risk of data security breaches.
Managing Data Breach Risk
There are a number of steps which organisations can take to mitigate the risk of a data security breach occurring. First is to understand what data it holds and where and how it is stored. It is important to establish where the biggest risks lie and identify weak points in the existing security measures.
Understand your legal obligations
The exact scope of an organisation's legal obligations may differ depending on the type of data involved and the circumstances of loss. Of particular importance for Commonwealth agencies is the Privacy Act 1988 (Cth) (Privacy Act) which requires agencies to take ‘reasonable steps’ to protect the personal information they hold from misuse and loss from unauthorised access, modification or disclosure.
There may also be contractual obligations and in some circumstances, agencies may owe individuals a duty of care to notify them of a breach, to help them to protect against misuse of their data.
Consider technological protections
Agencies should also consider technological protections such as:
- disabling the download function on computers to prevent the download of data onto removable media devices
- implementing a policy that requires the clearing of hard drives and other digital storage media prior to disposing of this equipment and media, and
- requiring the upgrading of passwords on a regular basis.
Know your partners
If your agency relies on outside vendors for functions that require the agency to share its data (such as outsourcing), it is crucial to know exactly how each and every contract the agency has with such third parties addresses privacy, confidentiality, data protection and other such issues in the event of a data breach.
Have a data breach response plan
Agencies should consider developing a breach response plan to assist in ensuring a quick response to data breaches.
It is important to make sure that employees understand why the policies and procedures which apply to protect data.
Establish a person or group who is responsible for managing data security
An agency can reduce the chance of a data breach occurring in the future by creating a senior position tasked specifically with managing data security.
What to do if a data breach occurs?
On 30 April 2012, the Office of the Australian Information Commissioner (OAIC) released the “Data Breach notification: a guide to handling personal information security breaches” which provides guidance for organisations when responding to a breach of data containing personal information (OAIC guide). While the OAIC guide is currently not legally binding it provides helpful material. The OAIC guide recommends and sets out four key steps that an organisation should take in responding to a data breach.
Step 1: Contain the breach and do a preliminary assessment
Once an agency suspects or discovers a data breach, it should immediately take ‘common sense’ steps to limit the breach and then appoint a person to lead an assessment of the events leading up to the data breach.
Step 2: Evaluate the risks associated with the breach
Agencies should then assess the risks associated with the breach and determine whether there is a risk of ongoing breaches of the information.
Step 3: Consider notification
Agencies should then decide whether to notify the affected individuals. The OAIC guide recommends that if the data breach creates a real risk of serious harm, those affected should be notified.
Step 4: Prevent future breaches
The OAIC guide recommends that once immediate steps are taken to reduce the risks relating to the breach, agencies should consider whether it should review its existing prevention plan or develop one if there is no such plan in place.
Data security is an important issue in the current digital environment given the volume of personal information in existence. By following some of the risk management steps, agencies can help to prevent data breaches thereby mitigating some of the damage which may be incurred in the event of a data breach.