Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Guide to developing a data breach response plan

Introduction

This Guide will help you develop a data breach response plan. A short checklist is also set out in the Appendix.

This guide complements the Office of the Australian Information Commissioner’s Data breach notification guide: A guide to handling personal information security breaches (DBN Guide), which provides detailed guidance about responding to a data breach once it occurs.

This guide is intended for use by entities covered by the Privacy Act 1988 (Cth) (Privacy Act), including organisations, agencies, credit reporting bodies (CRBs), credit providers and tax file number recipients. However, this guide may also be relevant to organisations not subject to the Privacy Act as a model for better privacy practice.

This guide is not legally binding. However, if you are covered by the Privacy Act you will have obligations under the Actto take reasonable steps to protect the personal information that you hold from misuse, interference and loss, and from unauthorised access, modification or disclosure.[1] One of those reasonable steps may include the preparation and implementation of a data breach response plan.[2]

Back to Contents

What is a data breach?

For the purpose of this Guide a data breach is when personal information held by an entity is lost or subjected to unauthorised access, modification, disclosure, or other misuse or interference. Examples of a data breach are when a device containing personal information of clients is lost or stolen, an entity’s database containing personal information is hacked or an entity mistakenly provides personal information to the wrong person.

A ‘data breach’ may also constitute a breach of the Privacy Act, however this will depend on whether the circumstances giving rise to the data breach also constitute a breach of one or more of the APPs, a registered APP code or the Privacy (Credit Reporting) Code 2014 (CR code).

Back to Contents

Why do you need a data breach response plan?

All entities should have a data breach response plan. Your actions in the first 24 hours after discovering a data breach are often crucial to the success of your response. A quick response can substantially decrease the impact on the affected individuals.

High profile data breaches, both in Australia and overseas, highlight the significant disruption caused by a breach of personal information. Research suggests that the cost to an organisation for a data breach can be significant.[3] Implementing a data breach response plan can assist in mitigating these costs.[4]

Having a data breach response plan is part of establishing robust and effective privacy procedures. And having clear roles and responsibilities is part of good privacy governance.[5] A data breach response plan can also help you:

  • meet your obligations under the Privacy Act — an entity must take reasonable steps to protect the personal information that it holds; those reasonable steps may include having a data response plan[6]
  • protect an important business asset — the personal information of your customers and clients as well as your reputation[7]
  • deal with adverse media or stakeholder attention from a breach or suspected breach
  • instil public confidence in your capacity to protect personal information by properly responding to the breach.

Back to Contents

What is a data breach response plan?

A data breach response plan is one tool to help you manage a data breach. It is a framework which sets out the roles and responsibilities for managing an appropriate response to a data breach as well as describing the steps to be taken by an entity in managing a breach if one occurs. This includes:

  • the actions to be taken if a breach is suspected, discovered or reported by a staff member, including when it is to be escalated to the response team
  • the members of your data breach response team (response team)
  • the actions the response team is expected to take.

Your data breach response plan should be in writing to ensure that your staff clearly understand what needs to happen in the event of a data breach.

You will need to regularly review and test your plan to make sure it is up to date and that your staff know what actions they are expected to take. What is ‘regular’ in this context will depend on your circumstances, including the size of your entity, the nature of your operations, the possible adverse consequences to an individual if a breach occurs and the amount and sensitivity of the information you hold.

Research suggests that infrequent reviews of response plans are a significant impediment to the effectiveness of those plans.[8] You should create and test your plan before a data breach occurs by, for example, responding to a hypothetical data breach, and regularly test it after implementation for effectiveness. It may be appropriate in some instances that a review of the plan coincide with the introduction of new products, services, system enhancements or such other events which involving the handling of personal information.

Make sure you and your staff are familiar with your data breach response plan and that it is easily accessible; this will help you respond quickly and appropriately.

An example of a data breach response plan you can refer to is the OAIC’s plan, available on the OAIC website. The OAIC is a small government agency and the scope and content of the plan reflects this. If you chose to adopt aspects of our plan you will need to adapt it to your own circumstances.

Back to Contents

What should the plan cover?

The more comprehensive the plan, the more timely the ability to respond to a potential breach and mitigate any damage or harm to individuals who have had their personal data compromised.

Information which your plan should cover includes:

  • a strategy for assessing, managing and containing data breaches. This includes the steps and actions your staff, especially your response team, should take in the event of a breach or suspected breach. Specifically:
    • potential strategies for containing and remediating data breaches
    • ensuring you have the capability to implement those strategies as a matter of priority (e.g. having staff available to deal with the breach – see ‘Response team membership’ section below). Your plan should reflect the capabilities of your staff to adequately assess breaches and their impact, especially when breaches are not escalated to a response team
    • a clear and immediate communications strategy that allows for the prompt notification of affected individuals and other relevant entities. In particular:
      • who is responsible for implementing the communications strategy
      • determining how affected individuals will be contacted and managed
      • criteria for determining which external stakeholders should be contacted (for example, law enforcement and cyber security agencies, regulators (including the OAIC) and the media)
      • who is responsible for determining which external stakeholders should be contacted
      • who is responsible for liaising with those external stakeholders?
    • The plan should also clearly identify those actions that are legislative or contractual requirements
  • a clear explanation of what constitutes a data breach, so that staff are able to identify one should a breach occur (see ‘What is a data breach?’ section above). You may also want to include potential examples of a data breach which are tailored to reflect your business activities
  • the reporting line if staff do suspect a data breach, including who needs to be informed immediately
  • the circumstances in which the breach can be handled by a line manager, or when it should be escalated to the response team. This could include consideration of the following questions:
    • are multiple individuals affected by the breach or suspected breach?
    • is there (now or potentially in the future) a real risk of serious harm to the affected individual(s)?
    • does the breach or suspected breach indicate a systemic problem with your practices or procedures?
    • other issues relevant to your circumstances, such as the value of the data to you or issues of reputational risk
  • who is responsible for deciding whether the breach should be escalated to the response team? One option is to have each senior manager responsible for deciding whether to escalate matters relevant to their area. The other option is to have a dedicated role, such as the privacy contact officer
  • recording data breaches. You should consider how to record data breaches, including those that are not escalated to the response team
  • a strategy to identify and address any weaknesses in data handling that contributed to the breach
  • a system for a post-breach review and assessment of your entity’s response to the data breach and the effectiveness of your data breach response plan.

Back to Contents

Response team membership

The purpose of having a response team is to ensure that the relevant staff, roles and responsibilities are identified and documented before the data breach happens. Time can be lost if you do not consider how to create a response team until the breach has already occurred.

The make-up of your response team will depend on your business and the nature of the breach. Different skill sets and staff may be needed to respond to one breach compared to another. Depending on the size of your entity and the nature of the breach, you may need to include external experts in your team, for example for legal advice, data forensics and media management. You should identify the type of expertise you may need and ensure that that expertise will be available on short notice.

You should keep a current list of team members which clearly articulates their roles, responsibilities and authorities as well as their contact details (possibly attached to the plan). You should ensure contact lists remain updated, particularly in the event of organisational changes. Each role on the team should have a second contact point in case the first is not available. You may wish to consider creating a core team and adding other members as required.

Typical team roles and skills might include:

  • a team leader — to lead the team and manage reporting to senior management
  • a project manager — to coordinate the team and provide support to its members
  • a senior member of staff with overall accountability for privacy and/or key privacy officer — to bring privacy expertise to the team
  • legal support — to identify legal obligations and provide advice
  • risk management support — to assess the risks from the breach
  • ICT support/forensics support — particularly if the breach requires investigation of ICT systems
  • information and records management expertise – to assist in reviewing security and monitoring controls related to the breach (for example, access, authentication, encryption, audit logs) and to provide advice on recording the response to the data breach
  • HR support — if the breach was due to the actions of a staff member
  • media/communications expertise — to assist in communicating with affected individuals and dealing with the media and external stakeholders.

If you hold an insurance policy for data breaches, that insurer may have a pre-established panel of external service providers in many of the roles listed above. You may want to consult with your insurer as to the identity of that panel so they can be included in any response team. Alternatively, the insurer may have a hotline available to assist in the event of a data breach, and that could be noted in the response plan.

How the response team is reflected in your response plan will depend on your circumstances. For example, the escalation of management of a data breach to a response team may not occur in smaller entities. Depending on the size of your entity or the size of the breach, a single person may perform multiple roles. In smaller entities the owner/principal of the entity could potentially be the person who needs to respond to and act on that breach.

It is important that the response team has the authority to take the necessary steps in the event of a breach without the need to seek permissions particularly in time critical scenarios. You will need to carefully consider who will be the team leader. The role must be of sufficient seniority/authority to effectively manage other parts of the business whose input is required and to report to senior management. It may be your senior member of staff with overall accountability for privacy, a senior lawyer (if you have an internal legal function) or another senior manager. If the breach is serious, it may be a senior executive.

Back to Contents

Actions the response team should take

A data breach response plan should also set out (or refer to) the actions the response team is expected to take when a data breach is discovered. The OAIC suggests these four steps be followed:

  1. contain the breach and do a preliminary assessment
  2. evaluate the risks associated with the breach
  3. notification
  4. prevent future breaches.

These steps and suggested courses of action are set out in more detail in the OAIC’s Data breach notification guide: A guide to handling personal information security breaches. When developing the actions your response team will take, you could use or adapt our suggestions or seek out other resources. Any response plan will need to be tailored and developed for your own circumstances.

You will need to consider what information needs to be reported to senior management during the course of your investigations and at what point. This reporting structure should form part of your plan.

The data breach response plan should outline how staff will record the identification and response to a data breach. Keeping records on your privacy breaches will assist you to deal with the data breach itself, and also help prevent future breaches by identifying risks and issues.

It is also best practice to notify the OAIC when you have a data breach and there is a real risk of serious harm to the affected individuals. You can report a data breach to the OAIC via email (enquiries@oaic.gov.au) or telephone (1300 363 992).

Back to Contents

Other considerations

In developing your plan you could also consider:

  • when and how the response team could practice a response to a breach in order to test procedures and refine them
  • whether your plan for dealing with personal information data breaches could link into or be incorporated into already existing processes, such as a disaster recovery plan, an cyber security/ICT incident response plan, a crisis management plan or an existing data breach response plan involving other types of information (e.g. commercially confidential information)
  • whether senior management should be directly involved in the planning for dealing with data breaches and in responding to serious data breaches
  • whether you have an insurance policy for data breaches that includes steps you must follow.

Back to Contents

Appendix — data breach response plan quick checklist

Use this list to check whether your response plan addresses relevant issues.

Issue

Yes/no

Comments

How is a data breach identified?

   

Do your staff know what to do if they suspect a data breach has occurred?

   

Who is ultimately responsible for your entity’s handling of a data breach in accordance with the plan?

   

Who is on your response team?

   

Do you need to include external expertise in your response team, for example data forensics experts, privacy experts etc?

   

Do they know their roles and what to do?

   

Have you set up clear reporting lines?

   

When do you notify individuals affected by a data breach?

   

Have you considered in what circumstances law enforcement or regulators (such as the OAIC) may need to be contacted?

   

Do you have an agreed approach to responding to media inquiries, including

  • pro-active or reactive strategies?
  • agreed spokesperson?
   

What records will be kept of the breach and your management of it?

   

Does your plan refer to any strategies for identifying and addressing any weaknesses in data handling that contributed to the breach?

   

Are there any matters specific to your circumstances, for example:

  • do you have insurance policies that may apply?
  • how will you keep your staff informed?
   

How frequently is your plan tested and reviewed and who is responsible for doing so?

   

Is there a system for a post-breach review and assessment of your entity’s response to the data breach and the effectiveness of your data breach response plan?

   

Back to Contents

Footnotes

[1] The Privacy Act includes 13 Australian Privacy Principles (APPs) that regulate the handling of personal information. APP 11 requires entities to take active measures to ensure the security of personal information they hold and to actively consider whether they are permitted to retain this personal information. The OAIC’s APP guidelines outlines the mandatory requirements of the APPs, how the OAIC will interpret the APPs, and matters the OAIC may take into account when exercising functions and powers under the Privacy Act.

[2] The OAIC’s Guide to securing personal information provides guidance on what the OAIC may consider to be ‘reasonable steps’ as required by APP 11, including guidance on the handling of data breaches by having a response plan (see p.36).

[3] Ponemon Institute, 2015 Cost of Data Breach Study: Australia, p 1 shows that the average organisational cost for a data breach has reached $2.82 million or $144 per lost or stolen record of personal information, see - www-03.ibm.com/security/data-breach/.

[4] ibid. figure 7, p 8.

[5] See our Privacy management framework: enabling compliance and encouraging good practice for further information.

[6] See our Guide to securing personal informationand our Data breach notification guide: A guide to handling personal information security breaches.

[7] Although this guide focuses on personal information, data breaches may also involve other types of information (e.g. commercially confidential information) that could have serious consequences for your business or agency. Therefore a response plan for personal information related data breaches could be incorporated within a broader data breach plan – also see ‘Other considerations’ section.

[8] See Ponemon Institute’s 2014 study - Is Your Company Ready for a Big Data Breach? The Second Annual Study on Data Breach Preparedness, p 4-5 - www.experian.com/assets/data-breach/brochures/2014-ponemon-2nd-annual-preparedness.pdf.

Back to Contents