Data Breach Notification

In this blog we investigate why your organisation needs a communication strategy and elaborate on what is meant by a ‘Data Breach’ and ‘Real risk of serious harm’.

Benefits of a good Communication Strategy

The quicker you can control communications and provide sufficient information about an incident, the less likely you are to suffer from reputational damage. People understand that things happen, we cannot achieve 100% security after all; however, they do expect organisations to be able to communicate what has happened, why and how it impacts them in a timely manner.

Without well-defined incident management, response and communication strategies, there is also a danger that a rush to notify potential victims without understanding the scope, compliance failures and impact could be equally damaging.

The benefits of a pre-planned communication strategy include:

  • All staff are aware of their responsibilities regarding communication
  • An authority who speaks on behalf of the company for consistent messaging
  • Provides the company time to clearly state what happened and how the crisis is being managed, instead of the media
  • Reduces confusion, speculation and rumours
  • Demonstrates trust and reliability to the public and third parties
  • Demonstrates that the company values their customers and is working to protect affected individuals from the impact of the data breach.

What does the Privacy Act consider a “Data Breach”?

A Data Breach is an event which infiltrates a company’s critical information relied on to provide products and services. This information can range from confidential business information, sensitive data (like medical records, intellectual property), intellectual property and much more; breaches impact the confidentiality, integrity, and availability of information or data.

External threats, such as hackers, are not the only cause of data breaches; data breaches can result from internal actions, a lack of awareness training or even a disgruntled employee.

Of course, the Privacy Act is only concerned about events that have or are likely to impact personal information. Although, any organisation regardless of whether they have specific privacy requirements, should take incident response and communication seriously. 

Real risk of serious harm”. What does this mean?

The obligation to notify the Office of the Australian Information Commissioner (OAIC) and individuals is when the data breach “could give rise to a real risk of serious harm to affected individuals”. 

The Act states that an “Eligible Data Breach” occurs if:
i. there is unauthorised access to, or unauthorised disclosure of, the information; and
ii. a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates;

or

The information is lost in circumstances where:
iii. unauthorised access to, or unauthorised disclosure of, the information is likely to occur; and
iv. assuming that unauthorised access to, or unauthorised disclosure of, the information were to occur, a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates;

What do I need to do?

  1. Assess whether there has been a serious data breach. Ensure all incident response plans outline what is determined to be a “serious” data breach and provide adequate assurance that a timely assessment was made.
  2. Have a mechanism in place that enables you to record decisions made about the incident. Particularly if the response team determines it was not serious, how was this decided? This should be a repeatable process.
  3. Ensure that the assessment can be completed within 30 days (Section 26WH of the Act). The period starts when the company becomes aware, or ought to reasonably have become aware, of a data breach. The response plans and strategies should therefore be tested to ensure the company:
  • Has the capability to detect a data breach in a timely manner
  • Can evaluate the situation and record decisions made
  • Can collate the required information that must be communicated
  • Can complete an assessment within 30 days.

If you would like help in designing your incident response strategies or have any specific questions, contact us today at enquiries@ISDCyber.com, or follow us on LinkedIn at https://www.linkedin.com/company/isdcyber

About the Author:

Yvonne Sears MSc, LLM, CIPM, CISM, PICIP, MBCI, FIP, FAISA

Yvonne’s experience quantifies her as having one of the most credible voices in Privacy anywhere in the world. The multi-discipline qualifications, certifications and experience held by Yvonne are overwhelmingly impressive and you would be hard pushed to find anyone as qualified across the globe.

Yvonne is a veteran of the Information Security, Risk/Governance & Business Continuity industries, and her passion is Privacy and Business Resilience, and has spent the last 22 years working in Government, Corporate and Private industry throughout the globe, the UK and Australia.

For recognition of her years of service, she has been awarded as an AISA Fellow and IAPP Fellow of Information Privacy.

Yvonne has been a major contributor on several trailblazing privacy projects some ongoing in Australia and in the UK. The outcomes from these projects have proven to be globally significant and the repercussions have paved the way on data sharing and privacy issues in sensitive and complex areas.