The last few years has proven that a data breach can be a significant crisis for any Australian business. Understanding how to respond effectively is not just about legal compliance; it's about protecting your reputation, your bottom line, and the trust of your stakeholders.
This article provides a roadmap for businesses to help navigate the aftermath of a data breach, aligning with the Privacy Act in Australia.
1. Immediate Steps Post-Breach Discovery
Identify and Contain: The first step is to quickly identify the extent of the breach. Take remedial action (if you can) and isolate affected systems to prevent further unauthorised access. Be careful of deleting or destroying any component that could contain evidence you will need later.
Assemble Your Response Team: Mobilise a response team that includes IT, investigative/cybersecurity, legal, compliance, customer-facing and public relations, or communications experts. Ideally you would have identified this team and briefed them on their roles before a data breach even occurs, as part of your data breach response plan.
Document Everything: Keep a detailed record of the breach, including how it was discovered, who caused it or how, the type of data involved (and the people potentially affected), and the potential impact.
During this preliminary stage, be careful not to destroy evidence that may be valuable in identifying the cause of the breach, or that would enable you to address all risks posed to affected individuals or the business.
2. Assessment and Investigation
Conduct an Assessment with Regard to OAIC Guidance: Assess the nature and sensitivity of the compromised data. Is it personal, financial, or sensitive information? How many people were affected? Would any of those be considered at risk of “serious harm”? Can remedial action can be taken to reduce any potential harm?
Comprehensively Investigate How the Breach Occurred: Was it a system flaw, human error, or a malicious attack? Was a third party service provider involved?
Engage Forensic Experts: If necessary, involve cybersecurity experts to analyse the breach and prevent future incidents. Depending on how the breach was caused, it may be critical to engage an external team to provide an independent view. Having your legal team engage them on your behalf can also mean the results of the investigation may be protected by legal professional privilege.
3. Legal Obligations and Notification
Entities regulated by the Privacy Act are required to conduct an assessment of ‘suspected’ eligible data breaches and take reasonable steps to complete their assessment within 30 days. If there are reasonable grounds to believe the data breach is likely to result in serious harm to any individual, the Privacy Act requires the business to notify those at-risk individuals as well as the Office of the Australian Information Commissioner (OAIC) within the 30 days. From the perspective of any at-risk individuals, 30 days might be far too long. Generally, your assessment and any notification should be undertaken as expeditiously as possible:
Notify Affected Parties: If your assessment concludes that the breach poses a likely risk of serious harm, promptly notify any at-risk individuals and advise them on protective measures (along with other requirements to be notified, under the Privacy Act).
Inform Regulatory Bodies: Report the breach to the OAIC. It may be appropriate, or required, to notify other third parties such as your insurers, law enforcement, banks, enterprise customers, as well as other government agencies or regulators relevant to your business.
Check Insurance Policies: Check your relevant policies for your insurance notification period in the event of a data breach. You should also check if your insurance policy responds to costs arising from a data breach.
Note that notification may not be necessary or appropriate in all cases. Each incident needs to be considered on a case-by-case basis to determine whether breach notification is required. Seek legal advice if you are unsure.
4. Communication and Public Relations
From data breaches that have been covered in the media, we see the risk of handling a data breach inefficiently, withholding information or not providing the appropriate support. Actions that may be desirable (as well as mandatory under law) may include:
Transparent Communication: Prepare a clear and concise statement about the breach, its impacts, and your response, taking into account any mandatory or public notification requirements that may apply under the Privacy Act. If relevant, establish a dedicated page where periodic updates can be provided.
Support for Affected Individuals: Support should be specifically tailored depending on the nature and effects of the breach, but may include establishing a customer contact centre, offering support services such as credit monitoring or identify card replacement (with costs covered), to those impacted.
Manage Media Relations: Designate a spokesperson to handle media inquiries, ensuring consistent and accurate information dissemination.
It is important that your personnel can engage with individuals who have been affected by a data breach with sensitivity and compassion, in order not to cause further harm.
5. Recovery and Prevention
Following a data breach incident, it is important to use the lessons learned to strengthen your information security framework and to reduce the chance of reoccurrence. A data breach should be considered alongside any similar breaches that have occurred in the past, which could indicate a systemic issue with policies or procedures. Work on:
Securely restoring services and strengthening your cybersecurity defences;
Identifying lessons learned
Addressing what can be done better next time to avoid a breach or reduce its impact. For example, if the breach was caused by human error, was this because staff were under time pressures or stress or did not have adequate training?
Reviewing any third party service providers (and your contracts with them) where any of them handle personal information on the business’ behalf
Your data protection policies and incident response plans in light of the breach
If any updates are made following a review, staff should be trained in any changes to relevant policies and procedures to ensure a quick response to a data breach.
Long-term Strategies Post-Breach
Continuous Improvement
Conduct regular audits and seek advice to improve your business’s privacy and security compliance framework. Refer to the OAIC’s Guide to Securing Personal Information for more guidance, as well as the Essential 8 for eight top tips on best information security practice (if you don’t have ISO 27001 certification).
Minimise data where you can and implement sound information handling measures to reduce the exposure of a data breach if and when one occurs. Implement ongoing surveillance of your systems to detect and prevent future breaches.
Workplace Training
Most data breaches are as a result of human error, so it is critical to provide employees and contractors with simple but regular updates to promote a privacy aware culture.
Your team needs regular training to be able to understand their obligations, know how to implement those obligations, recognise and escalate data breaches quickly, know how to handle complaints, and remember where to go for advice.
There are plenty of resources available, or you can outsource to a professional to deliver a workshop either face-to-face or online.
Conclusion: Turning a Breach into an Opportunity for Improvement
While a data breach is undoubtedly a challenging and costly event, handling it well can demonstrate your organisation's commitment to data privacy and security.
This article contains just a few steps that will allow your business to quickly and easily address some of the most common data and privacy risks; however, there are many more. A healthy privacy compliance framework differs from organisation to organisation and accordingly, it needs to be tailor-made.
This help article does not purport to be legal advice and it is recommended that organisations seek independent legal advice to better understand their legal obligations under Privacy Act.