-->

My Data Rules: A Recipe for Creating Your Data Breach Response Plan

CREDITORWATCH | 12 MIN READ

How do you respond?

  • Your office cleaners tell you they threw a customer list in the waste bin, now emptied by the garbage truck – Should you be worried?
  • Your laptop is left on the train unlocked and able to access client data – Is that a problem?
  • One of your staff opens an email attachment seemingly giving details of a remittance advice – malware has been installed and you are locked out.
    What should you do?

Contents

1. Notifiable Data Breaches (“NDB”)
2. What do to when you have a Data Breach
3. What not to do when you have a Data Breach
4. Action points and Takeaways
5. Who can help when you have a Data Breach

Notifiable Data Breaches (“NDB”)

With the commencement of the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) (“Privacy Act”) on 22 February 2018, not only is there an obligation on businesses to notify the regulator (the OAIC) about a “serious data breach” but also a requirement to have a Data Breach Response Plan.

Credit Professionals who deal in risk management daily will know privacy is yet another area of business where their risk management skills can come into their own. Protecting the assets of the business is a core responsibility for credit managers. The requirement for an NDB Response Plan is an ideal opportunity for credit managers to shine.

The Do’s

If there has been an “eligible data breach” incident, you need to have a plan on how to deal with data breaches whether you like it or not (the heat in the kitchen can be stifling).

An eligible data breach is where there are reasonable grounds to believe that unauthorised access, disclosure or loss of information will result in serious harm to any individuals to whom the information relates. Here is our checklist of WHAT TO DO when this happens:

1. CONTAIN the breach

  • Consider the type of data are you dealing with
  • All potential and actual data breaches are serious – move promptly
  • Call a cybersecurity expert if necessary

2. ASSESS the breach

  • Obtain and evaluate all information about the breach
  • Understand the risks posed by the breach
  • Determine whether your notification obligations are triggered
  • Conduct a formal assessment within 30 days, if required

3. NOTIFY the breach

  • Consider whether OAIC and affected individuals should be notified
  • Determine what information is included and how should the notification be made (e.g. email, letter, website?)
  • Check your obligations under the NDB Scheme

4. REVIEW the breach

  • Understand what lessons have been learned
  • Consider what actions can be taken to prevent future data breaches
  • Improve your security, privacy policies and handling procedures
  • Document the review of the data breach from start to finish

The Don’ts

Don’t let the Judges (OAIC) give you a bad score – to make the Response Plan successful, here are our tips for WHAT NOT TO DO:

  • Don’t ignore or delay a response to any actual or suspected data breach;
  • Don’t assume whether it’s a real data breach or not – always assess any data breach;
  • Don’t omit important people or information from the notification;
  • Don’t skip the review or its documentation;
  • Don’t destroy evidence that may be valuable in identifying the cause of the breach.

Takeaway Points

There are a number of key points that you can take from this article back to your team and business:

  • Think of your plan like a fire drill – organise a team and practice your proposed response regularly.
  • Don’t forget your suppliers – your data could be held anywhere in this cloud-based generation. Under APP 11, you could be responsible for the data breaches of your suppliers and other third parties. Make sure you know how any supplier proposes to manage a data breach, and that they have a reputation for trustworthy and secure services.
  • Consider including template letters, website notifications, email notifications, an emergency hotline, a press release and engaging external consultants to review your process and security safeguards.
  • Regularly de-identify your data. Regular cleansing of very old data will ensure your obligations for any data breach are limited only to current customers.
  • Consider cyber insurance, which can provide a further tool in your risk management kit.

 

How to Dish Up a Great Plan – Your Lawyer Can Help You

When it comes to Privacy matters, your lawyer can help serve up 5-star Privacy experience, including:

  • Carrying out a Privacy review and audit to establish exactly what is required for your organisation;
  • Advising on compliance with the Privacy Act and notifications to both individuals and the OAIC;
  • Considering and reviewing any third-party contracts or arrangements to ensure that your company is not unnecessarily exposed to any data breach risk;
  • Negotiating contract amendments with your suppliers and any other contractors;
  • Assisting with policies and procedures for privacy and Data Breach Response Plans;
  • Providing template notification documents (i.e. letters, website and email notifications, etc.) in case an eligible data breach does occur;
  • Preparing and delivering privacy training guides for staff; and
  • Any other risk management issues tailored to your organisation.

What’s Next?

You can expect to hear over the next 12 months plenty more about this new regime. Certainly, the Regulator has been active and will continue to be so. The Regulator’s website has a large amount of information designed to assist business with its obligations, see https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme.

There’s a popular reality TV show where couples (who can allegedly cook) meet at each other’s home to cook (inedible) food and have it judged by two celebrity chefs and the invited guests. There is then much angst and hand-wringing as the scores are shown on national television.

The Privacy Act is a bit like that – we swear we are going to faithfully follow the guidelines (recipes) and promise our customers (dinner guests) they can trust us with their most personal information, and then we pay lip service (pun intended) to our obligations. Instead of paying the dinner bill, respondents who breach the Act can be liable for fines ranging up to $2.1 million. Those penalties will simply be insignificant if you consider the damage to reputation and trust when your customers find out their privacy has been breached and you have failed to respond appropriately.

Don’t let your NDB plan be a recipe for disaster.

Ledlin Lawyers is a boutique firm of specialist credit, insolvency and business lawyers.
For more information visit 
www.ledlinlawyers.com.au