19th April, 2018

Have you implemented your data breach response plan yet?

You may be aware from our past newsletters, or from other mainstream media avenues, about the implementation of the Notifiable Data Breach Scheme (NDB) (read more). Now that the scheme has commenced the next important question to ask is if you have a data breach response plan in place yet?

A data breach response plan is essential to effectively responding to and managing a breach. It should outline your company’s strategy for containing, investigating and managing the incident – from start to finish. Having a response plan will enable companies to meet their obligations under the Privacy Act and respond quickly to any data breaches they face. This quick response will not only help minimise serious harm to affected individuals, but it can also reduce the costs faced by a business dealing with a breach, and reduce the potential reputation damage that can result.

Your data breach response plan should be in writing, and easily accessed by your staff, to ensure that all staff are aware of, and understand, the appropriate actions to take in the even of a breach occurring. A response plan should be reviewed regularly and tested (with a hypothetical data breach situation) to make sure it is up to date and to ensure your staff know what actions they are expected to take. How often you review and test your response plan will depend on a number of factors including the size of your company, the amount of sensitivity of the information you hold and the possible adverse consequences to an individual if a breach occurs. The more comprehensive your plan is, the better prepared your company will be in the event of a data breach incident occurring.

A data breach response plan should include;

  • A clear expectation of what constitutes an eligible data breach
  • Steps for how to contain, assess, investigate and manage a data breach, including steps to mitigate any serious harm if possible
  • The roles and responsibilities of staff
  • Other considerations e.g. others to be notified such as law enforcement agencies, insurers

The Office of the Australian Information Commissioner (OAIC) has provided the following data breach response plan questionnaire to check whether your response plan addresses relevant issues.

click on the picture for a larger view

The following diagram, also provided by OAIC, summarises the data breach response process. The parts of the process that are in red are required by the NBD scheme.

click on the picture for a larger view

If you wish to discuss this further, or if you wish to view an example of a data breach response plan, your Account Manager will be able to assist you.


Author: Murray Bruce