The Office of the Australian Information Commissioner (OAIC) promotes and upholds privacy and information access rights for all Australians with a range of powers and responsibilities under the privacy acts and other laws.
Having a response plan for a data breach is critical to effectively managing a breach.
- Responding fast to a breach will decrease your level of theft, costs and personal effects associated with data breaches and limit the potential underminig of your business’s reputation that may result.
- Your data breach response starts with a high-level and detailed plan of your entity’s strategy for containing, assessing, and managing the incident from start to finish.
Why do you need a data breach response plan?
- A data breach response plan enables entity’s to respond quickly to a data breach.
- A quick response can reduce the likelihood of affected individuals suffering harm. It can also lessen financial or reputational damage to the entity that experienced the breach.
- Preserve and build public trust
An effective data breach response can support consumer and public confidence in an entity’s respect for individual privacy, and the entity’s ability to manage personal information in accordance with community expectations.
What is a data breach response plan?
- A data breach response plan sets out the steps, roles and responsibilities involved in managing a data breach.
- It is important for staff to be aware of where they can physically access the data breach response plan on short notice and in writing.
- How regularly you test your plan will depend on your circumstances, including the size of your entity, the nature of your operations, the possible adverse consequences to an individual if a breach occurs, and the amount and sensitivity of the information you hold. It may be appropriate in some instances that a review of the plan coincides with the introduction of new products, services, system enhancements, or such other events which involve the handling of personal information.
What should the plan cover?
- The more comprehensive your data breach response plan is, the better prepared your entity will be to effectively reduce the risks and potential damage that can result.
This will assist your staff in preparing for a data breach should one occur.
- Reduce the potential impact of a data breach. It is important that roles and responsibilities are clearly established and documented before a data breach occurs. Otherwise, your response to the breach may be unnecessarily delayed.
- Develop a plan that reflects the capabilities of your staff to adequately assess data breaches and their impact, especially when breaches are not escalated to a response team.
- Clear communications strategies are needed in the event of a breach for the prompt notification to all affected individuals and relevant entities.
- Who is responsible for communications and determining when affected individuals & external stakeholders be notified under the mandatory data breach notification requirements?
- See Identifying Eligible Data Breachesfor further information about mandatory data breach notification requirements under the NDB scheme @ www.oaic.gov.au
- How will affected individuals be contacted and managed?
- This will also include the criteria for determining which external stakeholders should be contacted (for example, law enforcement and cyber security agencies, regulators such as the OAIC, and the media.