If your business collects personal information about your customers, you and your employees should know how to minimise the damage of a data breach. When a breach occurs, it is critical to act quickly. To ensure you have a fast response time, you should proactively map out steps to take during a data breach. Whether you have a plan in place or not, there are a few basic steps you should follow in case of a data breach. This article sets out how you should respond to a data breach and preventative measures you can implement.

What is a Data Breach?

A data breach refers to unauthorised access to, disclosure or loss of personal information. A data breach can be caused by events such as:

  • intentional hacking;
  • human error; or
  • technical error.

Personal information is information about an identified individual or an individual who is reasonably identifiable. Some typical examples of personal information which you must take extra steps to protect include a person’s:

  • name;
  • date of birth;
  • email address;
  • occupation;  
  • gender; and
  • more sensitive details such as health information.

Responding to a Data Breach

Responding effectively to data breaches requires minimising harm for the people affected while still protecting your business interests. Given that many incidents can lead to data breaches and have different effects, breaches should be assessed individually. However, despite this variety, it is still possible to deal with data breaches consistently.

The recommended way for you to respond to a data breach can be broken down into four stages:

  1. contain the breach;
  2. assess the breach;
  3. notify the affected individuals; and
  4. review the incident.

Stages one to three are closely interlinked and should be carried out in swift sequence or even together.

1. Contain the Breach

If you discover or suspect that a data breach has occurred, you should urgently attempt to contain the breach. Sometimes, this means shutting down the breached system. However, this may be impractical depending on the system’s size or if it may result in lost evidence. Consequently, your containment response may be to swiftly change or withdraw user access and address the security weakness which caused the breach.

2. Assess the Breach

As soon as you contain the breach, you should gather as much information about the breach as possible. By assessing the breach, you will be one step closer to understanding:

  1. how the breach occurred in the first place; and
  2. how you can address the risks caused by the breach and whether you need to notify anyone impacted by it.

Your assessment should look into:

  • what type of personal information was compromised in the breach;
  • the cause and extent of the breach;
  • what kind of harm the breach could lead to; and
  • what steps you can take to minimise any potential harm to the people impacted by the breach.

If the Notifiable Data Breach (NDB) Scheme applies to your business, you will need to assess whether the breach is likely to harm to anyone whose information was compromised. In this context, ‘likely’ means 50% chance or higher, while ‘serious harm’ includes psychological, physical, financial or reputational harm.

If you do not believe the breach will result in serious harm, your first obligation is to conduct an assessment. While there are no strict guidelines for performing this assessment, the Office of the Australian Information Commissioner (OAIC) recommends you follow a three-step process by:

  1. initiating the assessment, by planning the process and assigning a team or person to handle the assessment;
  2. investigating the breach, by gathering information about the incident to determine what has occurred; and
  3. evaluating the breach, by making a decision about whether serious harm may likely occur.

You are under an obligation to take reasonable steps to complete the assessment within 30 days. If you cannot do this within 30 days, make sure to document why you could not act within this time-frame.

3. Notify the People Affected and Relevant Authorities

Whether or not you notify the individuals impacted by the breach should be determined on a case-by-case basis. A notification can cause unnecessary stress and anxiety to users if the data breach carries little risk of harm. However, notifying individuals may also grow your business’ goodwill since you are signalling that you take privacy concerns seriously.

If your business falls under the NDB scheme, you must report breaches to anyone affected and the OAIC if you believe the breach may result in serious harm. However, even if your business does not fall under the scheme, you should consider notifying the affected individuals. This will help in minimising their potential damage and any reputational harm your business suffers.

By notifying the people affected, you provide them with the opportunity to protect their personal information. A person may become aware of scams or change their login details as a result of your notification.

You should also determine whether your business falls under the European Union’s General Data Protection Regulation. If so, and a breach occurs which places people’s rights and freedoms at risk, you will have to notify:

  • the supervising authority in the relevant European country; and
  • the affected people.

You must also make these notifications within 72 hours of becoming aware of the breach.

Finally, you should consider reporting data breaches to other Australian authorities, such as the:

  • police;
  • Australian Securities and Investments Commission;
  • Australian Taxation Office; and
  • Australian Cyber Security Centre.

4. Review the Incident

Lastly, you should endeavour to be proactive about future breaches. Therefore, you should review how the breach occurred and what you have improved in your processes following the breach. This may include:

  • finding the root cause of the data breach;
  • developing a prevention plan to avoid similar incidents in the future;
  • undertaking an audit to ensure that the prevention plan is implemented;
  • reviewing your policies and procedures to see if changes need to be made;
  • training your employees; and
  • reviewing any service providers that were involved in the breach.

While reviewing, you should ensure there are no signs of previous incidents which indicate systematic security issues. If you did not have a data breach response plan established before the breach, now may be the time to draft and implement one.

Key Takeaways

If you suffer a data breach, you must act quickly. Even though every data breach should be assessed individually, you should strategically approach your response to the breach. This should include:

  • containing the breach;
  • assessing the situation;
  • notifying the affected individuals; and
  • reviewing the incident

If your business falls under the NBD scheme, you must act upon any data breaches that are likely to result in serious harm. However, being proactive and notifying regulatory bodies and the people affected is recommended even if your business does not fall under the scheme. This allows people to minimise potential damage and take the opportunity to protect their personal information with precautionary measures.

If you need further assistance with responding to data breaches or complying with Australian privacy law, call LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.

Johan Lundstedt
If you would like further information on any of the topics mentioned in this article, please get in touch using the form on this page.
If you would like to receive a free fixed-fee quote for a legal matter, please get in touch using the form on this page.