In an update we sent out this time last year, “Names, addresses and lonely hearts”, we examined Cupid Media Pty Ltd’s 2014 security breach (when hackers were able to access and to steal the personal information of around 254,000 Australians customers) and Cupid Media’s obligations under the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles with respect to protecting and securing the personal information in its possession and with respect to responding to and managing its security breach.
In October 2015, the Office of the Australian Information Commissioner (OAIC) released its draft “Guide to developing a data breach response plan” (Guide) to the public for consultation. The Guide is intended to provide more information on the steps agencies and organisations can take in order to ensure that they have the right people, systems and mechanisms in place to be ready to manage a data breach – that is, to help agencies and organisations develop their own fit for purpose and tailor made data breach response plans.
Although the Guide is only currently in its draft form (with submissions to the OAIC set to close on 27 November 2015), it provides a useful indication of the preparatory and preventative steps the OAIC expects agencies and organisations to have taken in order to ensure they are able to respond to any given breach and how the OAIC may expect agencies and organisations to go about attempting to rectify any breach which may arise.
What is a data breach?
A ‘data breach’ occurs when personal information held by another entity is lost or subjected to unauthorised access, modification, disclosure or other misuse or interference. An example of a data breach (also the subject of an OAIC initiated investigation) occurred in late 2013 when Adobe Systems Software Ireland suffered a cyber-attack that affected more than 1.7 million customers in Australia alone. The data which was accessed during the attack (which included email addresses, encrypted passwords, plain text password hints and encrypted payment card numbers and expiration dates) was held on a backup system that had been designated to be decommissioned.
In some circumstances, such as in Adobe’s case, a ‘data breach’ may be held to constitute a breach of the Privacy Act.
But why do I need a breach response plan?
Although the OAIC’s Guide will not be legally binding on parties, it does reflect and reiterate the principles and obligations agencies and organisations captured by the Privacy Act are expected to operate in accordance with and to uphold and further, the best practice standards for entities which are not covered by the Privacy Act.
The Guide suggests that all entities should have a response plan – particularly given that an entities’ initial response to a data breach can go along way to decreasing the impact of that breach on affected individuals. In any event, plans of this kind can also assist entities in ensuring that they meet their obligations under the Privacy Act, to protect their business assets, to deal with the negative reputational responses which may flow from such a breach and to build confidence amongst their customers or clients as to their capacity to protect and secure personal information.
What should a data breach response plan include and touch on?
A data breach response will be the system or program via which your entity will deal with and manage a data breach. This will include the steps that your entity will take if a breach is suspected or discovered, the employees or members of your organisation who will form part of the internal ‘data breach response team’ and the actions the various members of that team will take as and when a breach occurs.
The plan should touch on or cover:
Where do I go from here?
The important things to remember are that:
Lavan Legal comment
If your entity requires any assistance in setting up or developing a suitable data breach response plan, please contact Iain Freeman.