In our previous insight, we discussed the Notifiable Data Breaches Scheme (NBD) which was established by the Office of the Australian Information Commissioner (OIAC) in 2018.
Although complying with the scheme can be complicated, it is important you understand your obligations under the NBD. If you fail to report a data breach, the OAIC may seek a civil penalty order against you. Therefore it is crucial that you take a suspected or actual data breach seriously and move immediately to contain, assess and remediate the incident. Breaches that may initially seem immaterial may be significant when their full implications are known.
To assist your organisation, we have created a summarised step by step guide to managing notifiable data breaches.
1. Maintain information, governance and security
To reduce the risk of data breaches, make sure your privacy and data security practices, procedures and systems are up to date and reviewed regularly. It is vital that your organisation has a data breach response plan in place which clearly describes the steps you will take if a breach occurs.
Prevention in the first instance is key. If you commit to building your operations and defence under the assumption that you will experience a breach at some stage, your organisation’s chances of detecting and preventing breaches are instantly reduced.
Backing up and changing passwords are two of the most important steps you can take to protect your data. Other baseline mitigation strategies are the well-known essential 8 taken from Strategies to Mitigate Cyber Incidents recommended by the Australian Cyber Security Centre.
2. Identify the suspected or actual data breach
Attempt to identify the systems and data which has been compromised and how the data breach has occurred.
3. Contain the breach
Take immediate steps to contain the breach. This means, to the extent possible, you need to limit any further access or distribution of the affected personal information, or the possible compromise of additional information held in the same system.
4. Evaluate the risks
Promptly investigate the breach and evaluate the overt and covert risks arising from the incident. You will need to evaluate whether the breach is likely to result in serious harm to any of the individuals whose information was involved. The OAIC recommends that this evaluation be documented.
5. Take remedial action to reduce the likelihood of serious harm
Take all possible steps to reduce any potential harm to individuals. This may involve taking action to recover lost information before it is accessed or changing access controls on compromised accounts before unauthorised access can occur.
6. Notify the OAIC? Does the breach fall within the Notifiable Data Breach Scheme under the Privacy Act 1988?
Consider if the breach falls within the NBD Scheme as soon as practicable, after becoming aware of the data breach.
A breach falls under the NBD Scheme when:
- there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation or agency holds;
- this is likely to result in serious harm to one or more individuals; and
- the organisation or agency hasn’t been able to prevent the likely risk of serious harm with remedial action.
If the breach does not fall under the scheme, proceed to step 8.
7. Inform all individuals at risk of serious harm
You must notify the affected individuals and the OIAC if you have suffered an eligible data breach. The notification must include recommendations about the steps they should take in response to the breach. Consider carefully the messages your organisation gives in relation to the data breach.
8. Review the incident
Review and evaluate the incident and document your conclusions. Take action to prevent or mitigate the effects of future data breaches.
For more assistance on your compliance requirements under the NBD, do not hesitate to contact Katherine Sainty at Katherine.firstname.lastname@example.org