This post is Part 1 in our series "Help, we’ve been hacked! How do I respond to a privacy breach? written by Sam H and Sophie F. Part Two will look at the Privacy Act’s breach notification regime. Part Three discusses other notification requirements in Australia. Part Four examines the vexed question of paying ransoms in the event of ransomware attacks. Finally, Part Five surveys some key international breach notification obligations
What is a privacy breach?
A privacy breach is an unauthorised access, disclosure, or loss of personal information.
Privacy breaches are often a subset of data breaches – an interference with the confidentiality, integrity, or availability of data generally (i.e. not just personal information). While this can include digital and hardcopy data, people are usually referring to digital data and IT systems when they talk about a ‘data breach’ – aka a cyber attack. Data breaches can occur through human error, malicious attack or a system fault.
Note that in the Privacy Act, an unauthorised access, disclosure, or loss of personal information is confusingly referred to as a ‘data breach.’ We talk more about the privacy breaches and the Privacy Act in part 2 of this series.
If your business collects, processes or uses personal information, then it is at risk of a privacy breach.
This series of posts will discuss both privacy breaches and data breaches more generally. This is because there is a lot of overlap between the two. So generally speaking, if your business handles personal information well, then it will also lower the risk of suffering a data breach. However, there are some differences. For example, if one of your employees accidently sends an email containing personal information to the wrong recipient, that will be a privacy breach but not really a data breach.
Preventive measures – lowering the likelihood of a breach
It is important for businesses to have technical and organisational measures in place to prevent privacy and data breaches. A good example of technical measures can be found in the ASD essential 8 and organisational measures can include internal privacy management plans and regular awareness training.
Even with the best technical and organisational measures in place – it is a sensible idea to prepare for a breach. This is because information systems are designed and operated by humans – and humans make mistakes. This means that you can never have 100% security and so – even with the best preventative measures – there is a risk that a data breach can still occur.
Data breach response plans
Because you can never eliminate the risk, it is important for you to have a breach response plan ready in order to identify and contain a data breach. By responding quickly, your business can substantially decrease the impact on those affected by the breach – such as your clients or customers, reduce the costs associated with fixing the breach (which can include fines and compensation orders), and reduce the reputational damage that can result.
The more comprehensive your data breach response plan is, the better prepared your business will be to respond to a breach and minimise the potential damage that can result.
Information that your data breach response plan should cover includes:
- a clear explanation of what constitutes a data breach,
- a strategy for containing, assessing and managing data breaches, and
- this strategy should include the actions your staff, and your vendors should take in the event of a breach.
There are four steps that should be taken following a breach.
Step 1 – Contain
Contain the breach to prevent any further compromise of personal information. Get answers to these questions:
- How did the data breach occur?
- Is the data still being shared, disclosed or lost without authorization?
- Who has access to the data?
- What can be done to secure the data, or stop the unauthorized access or disclosure?
Some of these questions you will be able to answer yourself, and some will need the input of your ICT team or external provider. Remember that containment needs to by done quickly.
Things you can do if you’re not an ICT professional:
- Remotely log out from accounts;
- Change your passwords – including on any accounts where you have reused passwords; and
- Turn on multifactor authentication.
Step 2 – Assess
Asses the breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and where possible, taking action to remediate any risk of harm. Find out:
What data was involved in the data breach – was it:
- personal information?
- confidential business information?
- financial data?
The circumstances of the data breach, including its cause and extent:
- why?
- when?
- where?
- who – is affected?
The nature of the harm to those affected – This will depend on the nature of the information that has been disclosed and the people about whom the information relates. It can include the following:
- financial harm;
- personal harm;
- psychological and emotional harm; and
- physical safety.
Can the risk harm can be removed through remedial action? This will be the case when there are steps that can be taken to ensure that the harm does not eventuate.
Step 3 – Notify
Notify anyone you need to notify. In some circumstances you will have obligations to notify (see our forthcoming posts on this point).
Breaches happen, no system is perfect and notification should be approached as a way of building trust with your stakeholders. Notification is your opportunity to demonstrate that you alert to the importance of privacy and information security.
Notifications should be clearly articulated, timely and direct. Cooperate with regulators, don’t obfuscate and take steps to help out those who are affected by the breach.
You should also take the necessary steps to ensure that your notifications reach the intended recipients.
Depending on the size and nature of your company and the data implicated in the breach, consider whether it would be appropriate to hire a crisis communications company.
Step 4: Review and Remediate
Review the incident and consider what actions can be taken to prevent future breaches. Consider the following:
- A security review including a root cause analysis of the data breach;
- A prevention plan to prevent similar incidents in future;
- Audits to ensure the prevention plan is implemented;
- A review of policies and procedures and changes to reflect the lessons learned from the review;
- Changes to employee selection and training practices; or
- A review of service delivery partners that were involved in the breach.
Practice your plan
Finally and most importantly it is not enough to have a shinny plan if you don’t know how to put it into action.
Once you have developed your plan – run through it in real time. This will allow you to identify what you don’t know and where your plan is deficient. You might also want to engage cybersecurity vendor that can help you ‘red-team’ your plan.