Data Breach Response Planning 101
5 Steps to Start Preparing for the “When”, not the “If”.
February 22, 2018 was a big day in Australia’s data compliance history. Although it probably wasn’t marked on your calendar – it certainly was on ours, because it means all new things for very broad swathe of Australia’s business community. The introduction on February 22 of the Notifiable Data Breach scheme has exponentially upped the ante on the level of responsibility Australian businesses must now take for how they collect, store, use and share data in their care.
The idea of data and the value it holds is a hot topic across all industry sectors today. Slogans like “data is the new oil” abound, highlighting the importance of data as a foundational element in digital-age business strategy and decision making. But like anything of tradeable, shareable or saleable value, your data is capable of being used well – to benefit individuals, businesses and communities…and maliciously – for financial stealth, reputational sabotage, identify theft, wider scale cyber-attacks, and more.
The introduction of the Notifiable Data Breach (NDB) Scheme in Australia now means that businesses must recognise the value of their data assets, and seek to protect the business, its employees, clients and users from the consequences of a data breach. This represents a major paradigm shift for the business sector that is used to set-and-forget security functions. Businesses now need to take ownership of their role in protecting their data assets, and take steps to get NDB ready.
5 Steps to Getting NDB Ready.
1. Find out who the new Notifiable Data Breach Scheme applies to
Australia’s Notifiable Data Breach scheme applies to:
- Entities with existing obligations under the Privacy Act;
- Australian government agencies, businesses and not-for-profit organisations that have an annual turnover of more than AU$3 million;
- Private sector health service providers, credit reporting bodies, credit providers, entities that trade in personal information and tax file number recipients;
- Entities that have Privacy Act security obligations in relation to particular types of information.
The critical point to note here is that the scheme has been designed to be as broad and all-encompassing as possible. There are varied and many inclusions and exclusions in these definitions. Even if you think this list leaves your business exempt, it is critical that you seek legal clarification from the outset to confirm your compliance obligations. Fines for failure to comply under the regulations will sit at around the AU$2 million mark, so that’s not a risk you want to take!
2. Understand what constitutes a data breach
Under the scheme, a data breach occurs when personal information is subject to unauthorised access or disclosure or is stolen or lost. A data breach can either be a result of malicious actions, simple human error, or system failures.
Some examples include:
- The loss or theft of devices, phones, laptops or other hardware, as well as paper-based records;
- Unauthorised access to personal information by an employee;
- Human error disclosures of personal information like an email being sent to the wrong person;
- Disclosure or capture of personal information by scammers, hackers, phishing or ransomware attacks.
3. Know your essential obligations under the NDB Scheme
The essential aim of the NDB Scheme is to build trust across industries and the business sector that personal data is being treated as a premium asset and handled accordingly. In this vein the NDB Scheme requires businesses to notify the Office of the Australian Information Commissioner about “eligible data breaches”, which include:
- When unauthorised access to or disclosure of personal information has or is likely to occur;
- When this is likely to result in serious harm to the identifiable individuals;
- When the business has been unable to prevent the likelihood of serious harm through some kind of remedial action.
These requirements now mean that business must undertake a process of assessment to determine whether any and all actual and suspected data breaches meet this criteria, thus triggering the mandatory notification requirements.
4. Implement a Data Breach Response Plan
In the event of an actual or suspected data breach, organisations have 30 days in which to undertake a data breach assessment and report if required. Businesses that are underprepared for the NDB scheme will find that these obligations will, at best, cost them time and money, and at worst, leave them exposed to even more serious breaches, fines and reputational damage in the future.
To be able to manage actual and suspected data breaches quickly and effectively, businesses need a comprehensive and up-to-date data breach response plan. Your data breach response plan needs to include:
- Definitions: Data breach details and definitions to ensure your staff can identify actual or suspected breaches and raise the alarm;
- Strategy: A coordinated strategy detailing the steps necessary to contain, assess, manage and recover from data breach incidents;
- Responsibilities: Which staff are responsible for what and when;
- Documentation: Details of how data breach identification, assessment, remediation, reporting and recovery actions will be documented;
- Review provisions: Regular review and audit procedures to test and refine your data breach processes.
5. Recognise that there is no one-size fits all approach
Each organisation’s data handling and protections will need to be as diverse and varied as the business it conducts and the people identifiable by that very data. In addition to this, there will be entities subject to other obligations outside the Privacy Act as well. There are some great resources provided to raise awareness and get organisations thinking about their requirements, but there is no simple A-Z to get ready guide. Each business must take the time now to determine exactly how, where and when their data is collected, stored, used and shared, and seek tailored and expert legal and business technology advice to ensure that their data breach response is all that is should be.
Download Resources Now!
For more guidance and resources, visit the Australian Government Office of the Australian Information Commissioner at www.oaic.gov.au.