Data breaches are the stuff that IT manager’s nightmares are made of. And since the Notifiable Data Breaches (NDB) scheme has come into effect for all businesses covered by the Privacy Act 1988, that nightmare has become a reality for companies that don’t have proper processes in place.
Not only is crisis management harder when there isn’t a solid plan in place, the reputational damage can also be long-lasting and cause enduring financial burdens on any business unlucky enough to suffer a serious breach.
Any breach can have a significant impact on the individuals affected, from physical and mental wellbeing, through to financial loss and damage to reputation.
Examples can include:
financial fraud including unauthorised credit card transactions or credit fraud
identity theft causing financial loss or emotional and psychological harm
physical harm or intimidation.
Data can be breached in any number of ways including loss or theft of devices, insider threats, human error, phishing or other cyber attacks.
So, what should you do to ensure your business is protected?
Assessing the severity of the breach
If you suspect that you’ve been breached, the first part of your process should be to assess the severity of the presumed breach. This will help you to determine your next steps – what kind of measures should you take and if the breach is serious enough to be reported.
The NSW Information and Privacy Commission recommends the following when determining the seriousness of the breach:
The type of data held
If personal or health data was disclosed
The number of individuals affected
The risk of harm, both to the individuals and the business
In addition, the type of data that was breached, the context of the data – could it be found publicly or could it cause harm to individuals, how easily could individuals be identified from this data, and the circumstances of the breach, must be taken into consideration.
Once you determine the severity of the breach, you can work through your response plan.
Preparing a response plan
It makes sense to have a solid framework in place so that you’re prepared in the event of a data breach. But what does this entail? We’re glad you asked!
Your response framework should include the roles and responsibilities for the people tasked with executing the response plan, what constitutes a breach, how it should be dealt with and when the plan should be reviewed.
We have a team of super-smart cyber security experts ready and waiting to help you build out and review your response plan, so let us know if we can be of assistance.
And as with all good plans, you’ll need to socialise this information with the business so that people know what to expect and who to reach out to if they suspect something is up (or they misplace their laptop… it happens).
There are some occasions where reporting requirements exist outside of the Privacy Act. For example, the GDPR may apply for your business, which means you’ll be held to a specific standard beyond that of the NDB. There is a comprehensive list of the other mandatory and voluntary reporting schemes that your organisation may need to comply with here.
Beyond that, depending on the type of business, you may need to report to the ASX if you’re a listed company or at the very least, report to your board of directors and senior management team.
We’re here to help make those IT nightmares a thing of the past. If you need help with anything cyber security related, we’d love to chat.