Data Breach Response Plan
One of the most important documents organisations need to have in order to navigate their way back to safety during an Eligible Data Breach
28th February 2018
As organisations across Australia prepare for the amendments to the privacy act, dictating how an organisation must report eligible data breaches, there is one commonly forgotten area of due diligence, the Data Breach Response Plan (DBRP).
A data breach response plan provides a series of steps for an entity to respond quickly to a data breach. When an entity can respond quickly, it can substantially decrease the repercussions of the breach, reduce the costs associated with dealing with a breach and reduce the potential reputational damage.
A DBRP should achieve three components;
- Meet your obligations under the Privacy Act
- Limit Consequences of a Data Breach
- Preserve and build public trust
To Create a DBRP you need to go through the following steps;
1. Understand Which Entities Require Notification
Firstly understand which stakeholders around the entity will need to be notified of an eligible data breach. This could include any from the below list, depending entirely on the entity and the nature of the data breached;
- the entity’s financial services provider
- police or law enforcement bodies
- the Australian Securities & Investments Commission (ASIC)
- the Australian Prudential Regulation Authority (APRA)
- the Australian Taxation Office (ATO)
- the Australian Transaction Reports and Analysis Centre (AUSTRAC)
- the Australian Cyber Security Centre (ACSC)
- the Australian Digital Health Agency (ADHA)
- the Department of Health
- State or Territory Privacy and Information Commissioners
- professional associations and regulatory bodies
- insurance providers.
2. Create the 'Response Team'
The response team are the individuals who will take responsibilities and assigned actions throughout the process of containing, assessing, notifying and reviewing each potential data breach event. This will usually involve the following individuals;
- A team leader — who is responsible for leading the response team and reporting to senior management
- A project manager — to coordinate the team and provide support to its members
- A senior member of staff with overall accountability for privacy and/or key privacy officer — to bring privacy expertise to the team
- Legal support — to identify legal obligations and provide advice
- Risk management support — to assess the risks from the breach
- Information and Communication Technology (ICT) support/forensics support — this role can help establish the cause and impact of a data breach that involved ICT systems
- Information and records management expertise – to assist in reviewing security and monitoring controls related to the breach (for example, access, authentication, encryption, audit logs) and to provide advice on recording the response to the data breach
- Human resources (HR) support — if the breach was due to the actions of a staff member
- Media/communications expertise — to assist in communicating with affected individuals and dealing with the media and external stakeholders.
3. Responding to data breaches — four key steps
A DBRP should outline the responsibilities of each of the four stages below, including which individuals must investigate and their roles within each stage.
The individuals will need to examine aspects of the breach such as how the breach occurred, what different types of personal information was compromised, and give rise to a range of actual or potential harms to individuals and entities.
As such, there is no single way of responding to a data breach. Each breach will need to be dealt with on a case-by-case basis, with an understanding of the risks posed by a breach and the actions that would be most effective in reducing or removing these risks.
Step 1: Contain the data breach to prevent any further compromise of personal information.
Step 2: Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, taking action to remediate any risk of harm.
Step 3: Notify individuals and the Commissioner if required. If the breach is an ‘eligible data breach’ under the NDB scheme, it may be mandatory for the entity to notify.
Step 4: Review the incident and consider what actions can be taken to prevent future breaches.
4. Report to the OAIC if Necessary
Once the four above steps have been completed the DBRP will need to show a clear set of requirements (assessed in the previous steps) as to whether a report to the OAIC must be submitted.
Submissions to the OAIC must be made through their online form on their website and must include the below information;
- Description of the Data Breach.
- Information Compromised.
- The remediation action taken to mitigate any damages or harm which could be caused.
This final step must be carefully laid out in the DBRP, detailing who must have the responsibility of submitting to the OAIC. Usually, this will involve several individuals who will vet and review the submission document before it is made.