The Legal environment has changed
The Australian legal environment regulating data protection has changed in the last few months. On February 22nd the OAIC (Office of the Australian Information Commissioner) authorized the rollout of the Mandatory Data Breach Notification Scheme, under Section (III) of the Privacy Act (cth) 1988.
This new federal legislation gives the OAIC the ability to fine individuals up to $360,000 and organisations up to $1.8 million who do not report on data breaches to the OAIC or otherwise fail to meet the terms laid out in Section III of the Privacy Act.
If you need a refresher on this new legislation please click here to read an earlier article.
What counts as a data breach?
A data breach is simply any unauthorized access to private information or data. Specific examples of this include;
- Unauthorized access to files containing the home addresses, phone numbers and other sensitive information of employees or customers of an organisation.
- Stolen equipment (laptops, tablets, usb’s etc.), which has sensitive information about individuals or organisations.
- A document containing sensitive medical information about an individual is lost or misplaced.
This can mean a great many things and the OAIC understands that not all data breaches need to be reported. A data breach only needs to be reported if it meets the two following requirements;
- a) There is potential that harm or damage could occur as a result of the data breach
- b) There is nothing the organisation can do to remediate the potential for this harm to occur.
Using these two measures how many of the above examples do you think you would need to report on and what is the how, when, where of completing the report? This is what a Data Breach Response Plan covers.
What a DBRP includes
After a Data Breach has been found to have occurred an organisation needs to understand what their requirement is when it comes to reporting, which is exactly what a DBRP defines. A DBRP sets out proper procedure to assess the data breach, find measures to remediate damage (if possible) and safely diffuse the situation.
When an organisation has a well-structured DBRP they can greatly reduce any damage done by the data breach as well as any negative publicity which might occur as a result. This can result in saving the organisations millions in damages (read here our article on the costs of infamous data breaches).
Creating a DBRP
Creating a DBRP is a lengthy process but a worthwhile one. To begin creating a DBRP you need to consider the following;
- Understand which entities require notification in the event of a data breach.
- Create the response team, which directs which individuals will take responsibilities and assigned actions throughout the data breach investigation.
- Revising the steps of Containing, Assessing, Notifying and reviewing the incident all within the 30 day period gives by the OAIC.
- Documenting who makes the final review and submission to the OAIC.
If your origination is considering creating a data breach response plan but still have questions please feel free to reach out for a discussion or consultation on 1300 133 966 or email us at email@example.com