Data breach incidents are an unfortunate reality of 21st century life. A recent study of data breach incidents in Australia found that, on average, a cyber breach costs business $2.82 million to rectify.
Apart from the financial costs, there are other compelling reasons why businesses should take data breach management seriously. Not to mention that the Federal Government has just released a draft bill that would require businesses to notify the Federal Privacy Commissioner and affected individuals of serious data breaches involving personal information. Read more here.
You can take steps to protect your business from data breaches and reduce their impact if they occur.
In this article we outline five actions to better data breach management. Following these steps will also help your business comply with the Privacy Commissioner’s voluntary guidelines on data breach notification, and prepare for the potential introduction of mandatory notification requirements in Australia.
It is essential the decision makers in your business understand (and monitor) the types and amount of personal information that the business holds, and how/where that information is stored.
Under the Privacy Act, entities are responsible for the security of any records containing personal information (whether physical or electronic) that are in the entity’s possession or control. This can include information that is processed or stored by external service providers (including cloud storage providers). Particular care should also be taken to identify and manage archived and backup copies of data.
Your business’ risk and compliance governance procedures should incorporate regular reporting on information security and data storage issues so that management has appropriate visibility of any risks and can take a co-ordinated approach to manage them. These matters should be reported on at the most senior levels of governance in an organisation.
Your business should have appropriate operational procedures (and contractual rights) in place so that you can promptly and accurately identify and assess any security breaches affecting your data, regardless of whether the breach is suffered by you or your service provider.
Ideally, contracts should include a clause requiring the service provider to immediately notify the customer of any security breaches affecting the customer’s data, and to co-operate with the customer in connection with the management of the breach.
You should also seek to ensure that the contractual trigger for notification operates on an objective basis, and is not subject to an assessment of severity by the service provider.
The cost of managing data breaches should also be addressed in the contract. The contract should include appropriate liability positions, indemnity obligations and insurance requirements.
The Privacy Commissioner recognises that it is not possible (nor required under the Privacy Act) for businesses to design completely impenetrable security systems. Rather, organisations are required to implement information security measures that are “reasonable” in the circumstances (based on factors such as the nature of the business and the amount and sensitivity the personal information held).
The Privacy Commissioner says that determining whether a reasonable security measure has been put in place should not be judged solely by reference to the expense of the implementation.
A good information security program should incorporate both proactive and reactive risk management – it should:
Implementing sufficiently strong reactive security measures (such as an adequate level of data encryption) could potentially save you from having to notify, as the proposed Australian data breach notification regime would allow businesses to consider factors such as “whether the information is in a form that is intelligible to an ordinary person” and “whether the information is protected by security measures” when determining whether a data breach is “serious” (thereby triggering the notification requirement).
It’s critical to identify data breach incidents quickly so that remedial steps and notifications can be performed in a timely manner. The notification requirements under the proposed mandatory data breach notification regime will apply to any serious data breaches that the organisation “ought reasonably to be aware of”.
Businesses can consider breach detection measures such as:
Your business should have a clear data breach plan in place that sets out a strategy for identifying and remedying the source of a data breach. The plan should also identify key responsible personnel, and set out the procedures for determining whether notice should be given of the breach.
A good starting point in designing the plan would be to refer to the Government’s draft bill on the proposed mandatory data breach notification regime. The Privacy Commissioner has also published a range of guidance materials on data breach management, and is currently in the process of public consultation on a draft Guide to Developing a Data Breach Response Plan (although it should be noted that the consultation draft of the Guide was released prior to the draft bill, and so does not currently reflect the proposed mandatory data breach notification regime).
Businesses should also consider having a list of “go-to” subject matter experts that can be engaged at short notice to assess the severity of the breach, advise on steps on containment and risk mitigation and determine whether notification is required.
You may also like to read our related articles: