Responding to data breaches: four key steps
Data breaches can be caused or exacerbated by a variety of factors, affect different types of personal information and give rise to a range of actual or potential harms to individuals, agencies and organisations.
As such, there is no single way of responding to a data breach. Each breach will need to be dealt with on a case-by-case basis, undertaking an assessment of the risks involved, and using that risk assessment as the basis for deciding what actions to take in the circumstances.
There are four key steps to consider when responding to a breach or suspected breach:
- Step 1: Contain the breach and do a preliminary assessment
- Step 2: Evaluate the risks associated with the breach
- Step 3: Notification
- Step 4: Prevent future breaches
DATA BREACH OCCURS
|Personal information is lost or subjected to unauthorised access, modification, use or disclosure, or other misuse or interference.
KEY STEPS IN RESPONDING TO A DATA BREACH
Contain the breach and make a preliminary assessment
- Take immediate steps to contain breach
- Designate person/team to coordinate response
Evaluate the risks for individuals associated with the breach
- Consider what personal information is involved
- Determine whether the context of the information is important
- Establish the cause and extent of the breach
- Identify what is the risk of harm
Consider breach notification
- Risk analysis on a case-by-case basis
- Not all breaches necessarily warrant notification
SHOULD AFFECTED INDIVIDUALS BE NOTIFIED?
Where there is a real risk of serious harm, notification may enable individuals to take steps to avoid or mitigate harm. Consider:
- Legal/contractual obligations to notify
- Risk of harm to individuals (identity crime, physical harm, humiliation, damage to reputation, loss of business or employment opportunities
Process of Notification
- When? - as soon as possible
- How? - direct contact preferred (mail/phone)
- Who? - entity with the direct relationship with the affected individual
- What? - description of breach, type of personal information involved, steps to help mitigate, contact details for information and assistance.
SHOULD OTHERS BE NOTIFIED?
Review the incident andtake action to prevent future breaches
- Fully investigate the cause of the breach
- Consider developing a prevention plan
- Option of audit to ensure plan implemented
- Update security/ response plan
- Make appropriate changes to policies and procedures
- Revise staff training practices
Step 1: Contain the breach and do a preliminary assessment
Once an agency or organisation has discovered or suspects that a data breach has occurred, it should take immediate common sense steps to limit the breach. These may include the following:
Contain the breach
Take whatever steps possible to immediately contain the breach.
For example, stop the unauthorised practice, recover the records, or shut down the system that was breached. If it is not practical to shut down the system, or if it would result in loss of evidence, then revoke or change computer access privileges or address weaknesses in physical or electronic security.
Assess whether steps can be taken to mitigate the harm an individual may suffer as a result of a breach.
For example, if it is detected that a customer’s bank account has been compromised, can the affected account be immediately frozen and the funds transferred to a new account?
Initiate a preliminary assessment
Move quickly to appoint someone to lead the initial assessment. This person should have sufficient authority to conduct the initial investigation, gather any necessary information and make initial recommendations. If necessary, a more detailed evaluation may subsequently be required.
Determine whether there is a need to assemble a team that could include representatives from appropriate parts of the agency or organisation.
Consider the following preliminary questions:
- What personal information does the breach involve?
- What was the cause of the breach?
- What is the extent of the breach?
- What are the harms (to affected individuals) that could potentially be caused by the breach?
- How can the breach be contained?
Consider who needs to be notified immediately
Determine who needs to be made aware of the breach (internally, and potentially externally) at this preliminary stage.
In some cases it may be appropriate to notify the affected individuals immediately (for example, where there is a high level of risk of serious harm to affected individuals).
Escalate the matter internally as appropriate, including informing the person or group within the agency or organisation responsible for privacy compliance.
It may also be appropriate to report such breaches to relevant internal investigation units.
If the breach appears to involve theft or other criminal activity, it will generally be appropriate to notify the police.
If the data breach is likely to involve a real risk of serious harm to individuals, or receive a high level of media attention, inform the OAIC. The OAIC may be able to provide guidance and assistance.
Where a law enforcement agency is investigating the breach, consult the investigating agency before making details of the breach public.
Be careful not to destroy evidence that may be valuable in determining the cause or would allow the agency or organisation to take appropriate corrective action.
Ensure appropriate records of the suspected breach are maintained, including the steps taken to rectify the situation and the decisions made.
Step 2: Evaluate the risks associated with the breach
To determine what other steps are immediately necessary, agencies and organisations should assess the risks associated with the breach.
Consider the following factors in assessing the risks:
- The type of personal information involved.
- The context of the affected information and the breach.
- The cause and extent of the breach.
- The risk of serious harm to the affected individuals.
- The risk of other harms.
Step 3: Notification
Agencies and organisations should consider the particular circumstances of the breach, and:
- decide whether to notify affected individuals, and, if so
- consider when and how notification should occur, who should make the notification, and who should be notified
- consider what information should be included in the notification, and
- consider who else (other than the affected individuals) should be notified.
Notification can be an important mitigation strategy that has the potential to benefit both the agency or organisation and the individuals affected by a data breach. The challenge is to determine when notification is appropriate. While notification is an important mitigation strategy, it will not always be an appropriate response to a breach. Providing notification about low risk breaches can cause undue anxiety and de-sensitise individuals to notice. Each incident needs to be considered on a case-by-case basis to determine whether breach notification is required.
In general, if a data breach creates a real risk of serious harm to the individual, the affected individuals should be notified.
Prompt notification to individuals in these cases can help them mitigate the damage by taking steps to protect themselves. Agencies and organisations should:
- take into account the ability of the individual to take specific steps to mitigate any such harm, and
- consider whether it is appropriate to inform other third parties such as the OAIC, the police, or other regulators or professional bodies about the data breach.
How else should be notified?
- Police — If theft or other crime is suspected. The Australian Federal Police should also be contacted if the breach may constitute a threat to national security.
- Insurers or others — If required by contractual obligations.
- Credit card companies, financial institutions or credit reporting agencies — If their assistance is necessary for contacting individuals or assisting with mitigating harm.
Step 4: Prevent future breaches
Once the immediate steps are taken to mitigate the risks associated with the breach, agencies and organisations need to take the time to investigate the cause and consider whether to review the existing prevention plan or, if there is no plan in place, develop one.
A prevention plan should suggest actions that are proportionate to the significance of the breach, and whether it was a systemic breach or an isolated event.
This plan may include:
- a security audit of both physical and technical security
- a review of policies and procedures and any changes to reflect the lessons learned from the investigation, and regular reviews after that (for example, security, record retention and collection policies)
- a review of employee selection and training practices, and
- a review of service delivery partners (for example, offsite data storage providers).
The plan may include a requirement for an audit at the end of the process to ensure that the prevention plan has been fully implemented.
Suggested preparations for responding to a data breach include the following:
- Develop a breach response plan
While the aim should be to prevent breaches, having a breach response plan may assist in ensuring a quick response to breaches, and greater potential for mitigating harm.
The plan could set out contact details for appropriate staff to be notified, clarify the roles and responsibilities of staff, and document processes which will assist the agency or organisation to contain breaches, coordinate investigations and breach notifications, and cooperate with external investigations.
- Establish a breach response team
Depending on the size of the agency or organisation, consider establishing a management team responsible for responding to personal information breaches. The team could include representatives from relevant areas that may be needed to investigate an incident, conduct risk assessments and make appropriate decisions (for example, privacy, senior management, IT, public affairs, legal).
The team could convene periodically to review the breach response plan, discuss new risks and practices, or consider incidents that have occurred in other agencies or organisations.
It may also be helpful to conduct ‘scenario’ training with team members to allow them to develop a feel for an actual breach response. Key issues to test in such training would be identifying when notification is an appropriate response, and the timing of that notification.
- Identify relevant service providers
Consider researching and identifying external service providers that could assist in the event of a data breach, such as forensics firms, public relations firms, call center providers and notification delivery services. The contact details of the service providers could be set out in the breach response plan. This could save time and assist in responding efficiently and effectively to a data breach.
- Enhance internal communication and training
Ensure staff have been trained to respond to data breaches effectively, and are aware of the relevant policies and procedures. Staff should understand how to identify and report a potential data breach to the appropriate manager(s).
This would make clear to individuals how their personal contact information is used in the event of a breach, and may also assist individuals to avoid ‘phishing’ scam emails involving fake breach notifications and requests that recipients verify their account details, passwords and other personal information
Get ready for 2018
Read more about the changes to the Notifiable Data Breach scheme, and how it effects your business.