Preparation, prevention and rectification: OAIC releases “Guide to developing a data breach response plan” for public comment

In an update we sent out this time last year, “Names, addresses and lonely hearts”, we examined Cupid Media Pty Ltd’s 2014 security breach (when hackers were able to access and to steal the personal information of around 254,000 Australians customers) and Cupid Media’s obligations under the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles with respect to protecting and securing the personal information in its possession and with respect to responding to and managing its security breach. 

In October 2015, the Office of the Australian Information Commissioner (OAIC) released its draft “Guide to developing a data breach response plan” (Guide) to the public for consultation.  The Guide is intended to provide more information on the steps agencies and organisations can take in order to ensure that they have the right people, systems and mechanisms in place to be ready to manage a data breach – that is, to help agencies and organisations develop their own fit for purpose and tailor made data breach response plans.

Although the Guide is only currently in its draft form (with submissions to the OAIC set to close on 27 November 2015), it provides a useful indication of the preparatory and preventative steps the OAIC expects agencies and organisations to have taken in order to ensure they are able to respond to any given breach and how the OAIC may expect agencies and organisations to go about attempting to rectify any breach which may arise.

What is a data breach?

A ‘data breach’ occurs when personal information held by another entity is lost or subjected to unauthorised access, modification, disclosure or other misuse or interference.  An example of a data breach (also the subject of an OAIC initiated investigation) occurred in late 2013 when Adobe Systems Software Ireland suffered a cyber-attack that affected more than 1.7 million customers in Australia alone.  The data which was accessed during the attack (which included email addresses, encrypted passwords, plain text password hints and encrypted payment card numbers and expiration dates) was held on a backup system that had been designated to be decommissioned.

In some circumstances, such as in Adobe’s case, a ‘data breach’ may be held to constitute a breach of the Privacy Act.

But why do I need a breach response plan?

Although the OAIC’s Guide will not be legally binding on parties, it does reflect and reiterate the principles and obligations agencies and organisations captured by the Privacy Act are expected to operate in accordance with and to uphold and further, the best practice standards for entities which are not covered by the Privacy Act. 

The Guide suggests that all entities should have a response plan – particularly given that an entities’ initial response to a data breach can go along way to decreasing the impact of that breach on affected individuals.  In any event, plans of this kind can also assist entities in ensuring that they meet their obligations under the Privacy Act, to protect their business assets, to deal with the negative reputational responses which may flow from such a breach and to build confidence amongst their customers or clients as to their capacity to protect and secure personal information.

What should a data breach response plan include and touch on?

A data breach response will be the system or program via which your entity will deal with and manage a data breach.  This will include the steps that your entity will take if a breach is suspected or discovered, the employees or members of your organisation who will form part of the internal ‘data breach response team’ and the actions the various members of that team will take as and when a breach occurs.

The plan should touch on or cover:

• A strategy for assessing and containing breaches: As set out in our article last year, it will be necessary for your data breach response team to evaluate the extent of the breach, the type of personal information involved and the harm that may flow from that breach and then to adopt mechanisms via which to attempt to contain that breach.
• A clear explanation of what constitutes a data breach: This will assist you in ensuring that all of the employees or members of your entity – whether they are part of the data breach response team or not – to identify data breaches if and when they arise.
• The reporting line if staff or members of your entity suspect a breach and the circumstances in which particular officers or individuals will deal with or handle a given breach.
• Who is responsible for overseeing the implementation of the measures to ‘contain’ the breach.
• Who is responsible for contacting those individuals or groups who may have been affected by the breach and how that information will be communicated to those individuals or groups.
• The system for recording the breach(es).
• Strategies for identifying the cause(s) of the breach and the ways in which to address the cause(s).

Where do I go from here?

The important things to remember are that:

• any data breach response plan your entity decides to put in place will need to be fit for purpose and suitable for your entity – that is, capable of addressing the kinds of breache(s) that your entity may be subject to;
• the data breach response plan will need to provide for the following key steps – containing the breach and assessing the breach, evaluating the risks associated with the breach, notification of the likely affected parties and if necessary, notification of the OAIC and the steps to be taken to prevent similar future breaches; and
• a failure to produce and to implement a suitable data breach response plan may be found, in a worst case scenario, to constitute a breach of the Privacy Act.

Lavan Legal comment

If your entity requires any assistance in setting up or developing a suitable data breach response plan, please contact Iain Freeman.