Guide for managing data breaches

Parliament recently introduced a Bill which if enacted will make notifications of data breaches mandatory.  Read about the Bill in our article Data Breach Bill 2016 – considerations for data security.

On 30 April 2012, a guide for handling information security breaches (Guide) was released by the Office of the Australian Information Commissioner (OAIC) to provide guidance for organisations when responding to a breach of data containing personal information.

Purpose of the Guide

There is no legal obligation in Australia to notify affected individuals or the public of data breaches, even though in 2008 the Australian Law Reform Commission recommended that mandatory data-breach notification laws be introduced.  The Guide is not legally binding but it does encourage organisations to notify an affected individual or OAIC where there is a real risk of serious harm as a result of a data breach.

Data breaches and how they occur

The Guide states that a data breach (Data Breach) occurs when personal information held by an agency or organisation is lost or subjected to unauthorised access, use, modification, disclosure, or other misuse.

There are several ways that a Data Breach can occur. Some examples include:

• lost or stolen laptops, removable storage devices or paper recordings containing personal information;
• hard drives and digital storage media being disposed without contents being erased first;
• databases containing personal information being hacked into or otherwise being illegally accessed; or
• paper records being taken from insecure recycling or garbage bins.

Obligations to prevent a Data Breach

The Privacy Act 1988 (Cth) (the Act) sets out privacy principles that are imposed on Government departments or agencies as well as organisations with an annual turnover of more than three (3) million dollars. It does not apply to small business operators with an annual turnover of less than three (3) million dollars, unless they:

• provide a health service;
• disclose personal information about another individual for a benefit or service;
• provide a benefit or service to collect personal information; or
• are a contracted service provider for a Commonwealth contract.

In general, it is expected that these organisations will take reasonable steps to protect personal information in their control from misuse and loss as well as from unauthorised access, modification and disclosure.

The OAIC states that Data Breach notification is a good privacy practice as it is a reasonable security safeguard, provides openness about privacy practices, restores control over personal information and rebuilds public trust.

The four (4) key steps

The Guide recommends and sets out four key steps that an organisation should take in responding to a Data Breach:

• Step 1: Contain the breach and do a preliminary assessment;
• Step 2: Evaluate the risks associated with the breach;
• Step 3: Notification; and
• Step 4: Prevent future breaches.

Step 1: Contain the breach and do a preliminary assessment

Once an organisation suspects or discovers a Data Breach, it should immediately take steps to contain the breach by recovering lost data, shutting down the system or revoking computer access privileges.

The organisation should then move quickly to appoint an authorised person to lead an initial assessment of the events leading up to the Data Breach.

The organisation should also determine who needs to be made aware of the breach.  The appropriate parties can vary depending on the type of breach.  Where there is high risk of serious harm, the Guide suggests that the affected individuals should be notified immediately.

Step 2: Evaluate the risks associated with the breach

Organisations should assess the risks associated with the breach to determine what steps are immediately necessary.  Examples of the considerations that need to be taken into account include:

• context of personal information;
• quantity of personal information that has been compromised;
• the actual parties affected by the breach;
• the parties that have gained the unauthorised access to the information; and
• how the personal information could be used.

The Guide also encourages an organisation to determine whether there is a risk of ongoing Breaches or further exposure of the information.  Whether the breach is from a theft is relevant as it could determine if the information itself was targeted or whether it was the hardware containing the information that was targeted.

Step 3: Notification

Once the particular circumstances of the breach are considered, the organisation should decide whether to notify the affected individuals.

If it chooses to notify the Data Breach, a decision should be made as to when and how notification should occur.  Direct notification, such as by phone or in person, rather than indirect notification is recommended by the Guide. It should also consider what information should be included in the notification and whether any third parties need to be notified, such as the OAIC or the police.

The OAIC states that prompt notification can help the affected individuals to mitigate the damage by protecting themselves. In deciding whether to notify affected individuals, an organisation must consider:

• whether notification is necessary to avoid or mitigate serious harm;
• the ability of an individual to avoid or mitigate harm if they are notified of the breach;
• the sensitivity of the information compromised;
• any legal and contractual obligations it has to notify; and
• the consequences of notification.

The OAIC Guide points out that if an organisation does not notify affected individuals and those individuals hear about the breach through the media, there could be loss of public trust in the organisation.

The information that needs to be notified should include information about the data-breach incident and the type of personal information was involved.  It should also disclose what the organisation has done to respond to the breach and assistance it can provide to those affected by the breach.

Step 4: Prevent future breaches

Once immediate steps are taken to reduce the risks relating to the breach, the organisation should consider whether it should review its existing prevention plan or develop one if there is no such plan in place.  OAIC makes several recommendations on how an organisation can reduce the chance of a Data Breach occurring in the future, including:

• creating a senior position in the organisation specifically for managing data security;
• disabling the download function on computers to prevent the download of data onto removable media devices;
• instituting a policy that requires clearing hard drives and other digital storage media prior to being disposed of; and
• upgrading passwords on a regular basis.

Reporting a Data Breach to the OAIC

The Guide recommends organisations to notify the OAIC of a Data Breach where it is appropriate to do so.  The OAIC can then provide information about obligations under privacy laws and what needs to be considered when responding to a Data Breach as well as steps to take to avoid a breach in the future.  It can also respond to community enquiries about the Data Breach and explain to individuals the possible steps they can take to protect their personal information.

Further information

To ascertain how Dundas Lawyers can assist you in handling personal information security breaches, contact us for a confidential and obligation-free discussion:

Disclaimer

This article contains general commentary only.  You should not rely on the commentary as legal advice.  Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.

---

Related insights about privacy act compliance