If your business collects personal information about your customers, you and your employees should know how to minimise the impacts of a data breach. Data breaches are common and impact even large international companies, such as Uber, Equifax and Ashley Madison. Failing to address a data breach adequately can lead to hefty fines. Therefore, you should proactively establish a data breach response plan so you have a strategy ready if a breach does occur. This article sets out the benefits of having a data breach response plan and outlines the process of setting one up.
What is a Data Breach?
A data breach refers to unauthorised access, disclosure or loss of personal information. A data breach can be caused by events such as intentional hacking, human error or technical error. Personal information is information about an identified individual or an individual who is reasonably identifiable. Some typical examples of personal information which you must take extra steps to protect include a person’s:
- date of birth;
- email address;
- gender; and
- more sensitive details such as health information.
What is a Data Breach Response Plan?
A data breach response plan sets out the roles and responsibilities of your business when managing a data breach. Overall, this document describes the steps your team will take if a data breach occurs and how to mitigate potential damage.
Do I Need a Data Breach Response Plan?
The Australian Privacy Principles (APPs) outline how government agencies, private businesses and not-for-profit organisations must manage personal information. Generally, this applies to entities with an annual turnover of more than $3 million. However, organisations with less than $3 million in turnover may also be subject to the APPs if they trade in personal information or provide health services.
If your needs to comply with the APPs, you must take reasonable steps to protect personal information from:
- misuse, interference and loss; and
- unauthorised access, modification or disclosure.
However, you are not legally obligated to implement a data breach response plan into your business dealings. Instead, you should consider it a proactive measure to help your business act quickly if a breach occurs. Overall, the plan is intended to improve your odds of minimising the damage to your consumers and business during a breach.
What Should the Data Breach Response Plan Include?
Your plan should include a response process which contains detailed information on:
- what a data breach is and how your employees can identify a breach;
- the members of your data response team and the correct point of contact;
- how to contain a data breach;
- how to assess the risks of a data breach;
- the steps a response team should follow after being notified of a potential breach;
- how to notify the people whose information was breached;
- how to ensure any breach notifications follow the Notifiable Data Breaches scheme;
- the correct process to document data breaches, including those incidents which are not escalated to the response team; and
- how to review an incident and prevent future breaches.
Your Data Breach Response Team
Having well-trained staff who can deal with a data breach will assist in minimising the data breach’s damage. While all your staff should have some data breach training, you should additionally establish—if possible—a specific response team.
It is crucial to act promptly during a data breach. Therefore, anyone on your response team should have the authority to act independently without seeking permission from senior management. Further, you should ensure the members’ contact details are up-to-date and that other staff can easily contact the team. Generally, a data breach response team will include:
- a team leader who leads the data breach response team and reports to the senior management team;
- a project manager who coordinates the work of the data breach response team;
- a privacy officer who is the privacy expert in the data breach response team; and
- a legal officer who provides legal insights and advice to the rest of the team.
Lastly, your team may include additional support and specialist roles such as:
- risk management;
- information and communications technology forensics;
- information and records management;
- human resources; and
- media and communications.
Maintaining Your Data Breach Response Plan
You should ensure your staff are aware of where you have stored the data breach response plan. This is particularly important if your work regularly takes you away from the office. Additionally, your staff should be aware of the practical response procedures, not just the theory. It may be helpful to role-play hypothetical data breach scenarios to better prepare your response team.
Finally, you should regularly review your data breach response plan. This is to ensure it reflects the way your business currently handles data and personal information. As such, you may benefit from scheduling response plan reviews every six months or even more regularly.
The best way to prepare for an efficient data breach response is to implement a data breach response plan. This will set out the roles and responsibilities of your team members if your business suffers a data breach. The plan should describe in detail the steps those involved will need to take to minimise potential damage.
Consequently, your plan should include a data breach response process to guide your team in identifying and responding to eligible data breaches. Combined with adequate training, and if implemented correctly, your plan may limit your liability if a data breach would ever occur.
If you need further assistance with preparing a data breach response plan or complying with Australian privacy law, call LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.
Was this article helpful?
We appreciate your feedback – your submission has been successfully received.