What is a data breach response plan and how do you obtain one?

On 23 February 2018 the notifiable data breach scheme (Scheme) was enacted through legislation amending the Privacy Act 1988 (Cth) (Privacy Act), making it mandatory for certain (eligible) entities to notify affected individuals about eligible data breaches.  In talking to clients in this area, there appears to be some confusion about what an eligible organisation has to do to prepare for this.

In considering an organisations obligations under the Scheme, please refer to our article on the Notifiable Data Breach Scheme where the following topics are covered:

• What is a data breach?
• What is Personal Information?
• Who does the scheme relate to?
• What is an eligible data breach?
• What are the consequences of non-compliance?

This article discusses the contents to be considered as part of a Data Breach Response Plan.

What is a Data Breach Response Plan?

Whilst the phrase Data Breach Response Plan is descriptive of its anticipated contents, the Office of the Australian Information Commissioner (OAIC) has defined the term to mean:

“A data breach response plan is one tool to help you manage a data breach. It is a framework which sets out the roles and responsibilities for managing an appropriate response to a data breach as well as describing the steps to be taken by an entity in managing a breach if one occurs”.

To assist with managing a Data Breach, the OAIC has prepared the following two (2) guides:

• Guide to developing a data breach response plan; and
• Data breach notification — A guide to handling personal information security breaches.

Why create a response plan?

Australian Privacy Principle 11 (security of personal information) requires APP entities who hold personal information to take such steps as are reasonable in the circumstances to protect the information:

• from misuse, interference and loss; and
• from unauthorised access, modification or disclosure.

While the preparation of a Data Breach Response plan is not explicitly required under the new Scheme, the OAIC has stated:

“Depending on the circumstances, those reasonable steps may include the preparation and implementation of a data breach policy and response plan”.

The benefits of having a Data Breach Response Plan

 A Data Breach Response Plan may:

•  reduce the cost of the data breach to your organisation (Note: According to the 2017 Ponemon Institute Report, the Cost of Data Breach Study, the average cost of a data breach to an Australian organisation is $141 per record^[2]);
• reduce the average cost of a data breach by around 10%^[3] (Note: Actions within the first 24 hours can greatly reduce the damage done to affected individuals);
• limit your legal liability to the affected individuals and under the Privacy Act;
• assist in remedying a breach before it becomes an eligible data breach requiring notification of the OAIC and affected individuals;
• limit the damage to your business reputation; and
• minimise the likelihood of receiving a penalty.

Contents of the Data Breach Response Plan

The OAIC recommends a Data Breach Response Plan should include the following information:

• what a data breach is and how staff can identify one;
• clear escalation procedures and reporting lines for suspected data breaches;
• members of the data breach response team, including roles, reporting lines and responsibilities;
• details of any external expertise that should be engaged in particular circumstances;
• how the plan will apply to various types of data breaches and varying risk profiles with consideration of possible remedial actions;
• an approach for conducting assessments;
• processes that outline when and how individuals are notified;
• circumstances in which law enforcement, regulators (such as the OAIC), or other entities may need to be contacted;
• processes for responding to incidents that involve another entity;
• a record-keeping policy to ensure that breaches are documented;
• requirements under agreements with third parties such as insurance policies or service agreements;
• a strategy identifying and addressing any weaknesses in data handling that contributed to the breach;
• regular reviewing and testing of the plan; and
• a system for a post-breach review and assessment of the data breach response and the effectiveness of the data breach response plan.

Takeaways

With the Scheme in place across Australia, it is time to ensure you have a Data Breach Response Plan to guide your team in identifying and responding to eligible data breaches which may assist to limit your liability and protect your organisations reputation.

Links and further references

Legislation

Privacy Act 1988 (Cth)

Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth)

Office of the Australian Information Commissioner, A guide to securing personal information 

Office of the Australian Information Commissioner, A guide to data breach preparation and response 

Further information about data breaches

If you need assistance in preparing a data breach response plan or if you require legal support following a data breach, contact us for a confidential and obligation-free discussion:

Disclaimer

This article contains general commentary only.  You should not rely on the commentary as legal advice.  Specific legal advice should be obtained to ascertain how the law applies to your particular circumstances.

[2] IBM Security, https://www.ibm.com/security/data-breach.

[3] IBM Security, https://www.ibm.com/security/data-breach.

---

Related insights about data breaches