How to know if our organisation has suffered a Data Breach?
This is the main question on many executives and business owners’ minds as the Notifiable Data Breaches Scheme (Section III of the Privacy Act 1988) and now the GDPR set in. The challenge in the minds of many business owners is;
‘How do we safely find out whether we have been breached and take steps to remediate the damage without incurring large fines and a smeared reputation if we have been breached?’
To answer this question we need to break it down into several segments, the first question on many business owners’ minds is;
‘Can I or my company be fined if we investigate and find previous data breaches have occurred?’
The answer is no, the Notifiable Data Breach Scheme (NDBS) clearly sets out that businesses must only act after they become aware a Data Breach (DB) has occurred. Once they are aware a DB has occurred or is likely to have occurred they need to then assess the breach and report the DB to the authorities based on its severity.
The only scenario whereby a fine could be handed out to a business is if it became known that people within the business found out about the data breach and took no steps to remediate the damage or update the security policy.
So knowing that it is safe to gaze into the past for data breaches without fear of major reprisal, the next question becomes;
‘How do we search our company for past data breaches?’
Searching your companies IT systems requires a security scanning software which works by performing a company-wide scan of all data, emails, IT records, and files.
The scan searches your records for any suspicious activity such as foreign software leaking information to the outside, emails with sensitive data that went astray or any other activity or software which could potentially amount to a data breach, past or present.
This scan complies the data and creates a report on any past activity which could be considered a data breach for the decision makers to act on. This leads us to the next part of the question;
‘What do we do if we find a previously occurred activity considered to be a data breach?’
Once your business has the report you’ll need to act quickly and appropriately, as not doing so is where fines can be issued by the OAIC. Let’s say you have a data breach (most businesses will), the first thing your company will need to do is assess the severity of the data breach(s) which have occurred.
This will mean assessing whether the data breaches are likely to cause harm as a result of occurring and whether there is any actions the company can take which might remediate possible harm. This process is best led by an IT Security professional.
Any data breaches which have a likelihood to cause harm and which cannot be remediated need to be reported to the OAIC within 30 days of the data breach becoming known. Not doing so is where companies open themselves up to potential fines.
Some companies may still worry about a smeared public image by coming forward on reporting data breaches. While this is a potential reality after a data breach, any PR damage can be greatly minimized by moving forward correctly and with full transparency.
This process is part of a Data Breach Response Plan (DBRP), which is a plan laid out (similar to a fire drill) of a series of steps and responsibilities to take in minimizing the damage done after a data breach occurs. However, a full discussion on a DBRP will require a separate article on its own.
If you need advice on investigating whether you've suffered a Data Breach or have any questions about how to safely defuse a previously occurred breach. Please get in contact below.
For information on creating a Data Breach Response Plan click here.