Part 2: Preparing a data breach response plan

13 July 2019

Key points

  • A quick response to a data breach, based on an up-to-date data breach response plan, is critical to effectively managing a breach.
  • Your data breach response plan should outline your entity’s strategy for containing, assessing and managing the incident from start to finish.
  • This part will provide practical guidance to help you develop a comprehensive and effective data breach response plan.

Why do you need a data breach response plan?

All entities should have a data breach response plan. A data breach response plan enables an entity to respond quickly to a data breach. By responding quickly, an entity can substantially decrease the impact of a breach on affected individuals, reduce the costs associated with dealing with a breach, and reduce the potential reputational damage that can result.

A data breach response plan can help you:

  • Meet your obligations under the Privacy Act

    Under the Privacy Act, an entity must take reasonable steps to protect the personal information that it holds.[9] A data breach response plan focussed on reducing the impact of a breach can be one of these reasonable steps.

  • Limit the consequences of a data breach

    A quick response can reduce the likelihood of affected individuals suffering harm. It can also lessen financial or reputational damage to the entity that experienced the breach.

  • Preserve and build public trust

    An effective data breach response can support consumer and public confidence in an entity’s respect for individual privacy, and the entity’s ability to manage personal information in accordance with community expectations.

What is a data breach response plan?

A data breach response plan is a framework that sets out the roles and responsibilities involved in managing a data breach. It also describes the steps an entity will take if a data breach occurs.

Your data breach response plan should be in writing to ensure that your staff clearly understand what needs to happen in the event of a data breach. It is also important for staff to be aware of where they can access the data breach response plan on short notice.

You will need to regularly review and test your plan to make sure it is up to date and that your staff know what actions they are expected to take. You can test your plan by, for example, responding to a hypothetical data breach and reviewing how your response could be made more effective.

How regularly you test your plan will depend on your circumstances, including the size of your entity, the nature of your operations, the possible adverse consequences to an individual if a breach occurs, and the amount and sensitivity of the information you hold. It may be appropriate in some instances that a review of the plan coincides with the introduction of new products, services, system enhancements, or such other events which involve the handling of personal information.

What should the plan cover?

The more comprehensive your data breach response plan is, the better prepared your entity will be to effectively reduce the risks and potential damage that can result.

Information that your plan should cover includes:

  • A clear explanation of what constitutes a data breach

    This will assist your staff in identifying a data breach should one occur (see What is a Data Breach?). You may also want to include potential examples of a data breach which are tailored to reflect your business activities.

  • A strategy for containing, assessing and managing data breaches

    This strategy should include the actions your staff, and your response team, will take in the event of a data breach or a suspected data breach. Consider:

    • potential strategies for containing and remediating data breaches
    • ensuring you have the capability to implement those strategies as a matter of priority (e.g. having staff available to deal with the breach – see Response Team Membership section below). Your plan should reflect the capabilities of your staff to adequately assess data breaches and their impact, especially when breaches are not escalated to a response team
    • legislative or contractual requirements (such as the requirements of the NDB scheme if they apply to your entity)
    • a clear and immediate communications strategy that allows for the prompt notification of affected individuals and other relevant entities. In particular:
      • who is responsible for implementing the communications strategy
      • determining when affected individuals must be notified (see Identifying Eligible Data Breaches for further information about mandatory data breach notification requirements under the NDB scheme)
      • how affected individuals will be contacted and managed
      • criteria for determining which external stakeholders should be contacted (for example, law enforcement and cyber security agencies, regulators such as the OAIC, and the media)
      • who is responsible for liaising with external stakeholders
  • The roles and responsibilities of staff

    Your plan should outline the responsibilities of staff members when there is a data breach, or a suspected data breach. Consider:

    • who staff should inform immediately if they suspect a data breach
    • the circumstances in which a line manager can handle a data breach, and when a data breach must be escalated to the response team. The following factors may determine when a data breach is escalated to the response team:
      • the number of people affected by the breach or suspected breach
      • whether there is a risk of serious harm to affected individuals now or in the future
      • whether the data breach or suspected data breach may indicate a systemic problem with your entity’s practices or procedures
      • other issues relevant to your circumstances, such as the value of the data to you or issues of reputational risk.
    • who is responsible for deciding whether the breach should be escalated to the response team. One option is for each senior manager to hold responsibility for deciding when to escalate a data breach to the response team. Another option is to have a dedicated role, such as the privacy contact officer.
  • Documentation

    Your plan should consider how your entity will record data breach incidents, including those that are not escalated to the response team. This will assist you in ensuring you have documentation of how your entity has met regulatory requirements.

  • Review

    Evaluating how a data breach occurred, and the success of your response, can help you improve your data handling and data breach management. Consider:

    • a strategy to identify and address any weaknesses in data handling that contributed to the breach
    • a system for a post-breach assessment of your entity’s response to the data breach and the effectiveness of your data breach response plan

Response team membership

Your data breach response team is responsible for carrying out the actions that can reduce the potential impact of a data breach. It is important that the staff that make up the response team, as well as their roles and responsibilities, are clearly established and documented before a data breach occurs. Otherwise, your response to the breach may be unnecessarily delayed.

Who is in your data breach response team will depend on the circumstances of your entity and the nature of the breach. Different skill sets and staff may be needed to respond to one breach compared to another. In some cases, you may need to include external experts in your team, for example legal advice, data forensics, or media management. You should identify the types of expertise you may need and ensure that this expertise will be available on short notice. You might consider creating a core team and adding other members as they are required.

You should keep a current list of response team members and clearly detail their roles, responsibilities, and authorities, as well as their contact details (possibly attached to the data breach response plan). You should ensure these contact details remain updated, particularly in the event of organisational changes. Each role on the response team should have a second point of contact in case the first person is not available.

Typical data breach response team roles and skills

Your data breach response team may include:

  • a team leader — who is responsible for leading the response team and reporting to senior management

  • a project manager — to coordinate the team and provide support to its members

  • a senior member of staff with overall accountability for privacy and/or key privacy officer — to bring privacy expertise to the team

  • legal support — to identify legal obligations and provide advice

  • risk management support — to assess the risks from the breach

  • Information and Communication Technology (ICT) support/forensics support — this role can help establish the cause and impact of a data breach that involved ICT systems

  • information and records management expertise – to assist in reviewing security and monitoring controls related to the breach (for example, access, authentication, encryption, audit logs) and to provide advice on recording the response to the data breach

  • human resources (HR) support — if the breach was due to the actions of a staff member

  • media/communications expertise — to assist in communicating with affected individuals and dealing with the media and external stakeholders.

If you hold an insurance policy for data breaches, that insurer may have a pre-established panel of external service providers in many of the roles listed above. You may want to consult with your insurer as to the identity of that panel so they can be included in any response team. Alternatively, the insurer may have a hotline available to assist in the event of a data breach, and that could be noted in the response plan.

Which individuals carry out the roles outlined in your response team will depend on your circumstances. For example, in smaller entities it may not be necessary to include steps related to escalating the data breach to the response team, as this may be an automatic process. Depending on the size of your entity or the size of the breach, a single person may perform multiple roles. In smaller entities the owner/principal of the entity could potentially be the person who needs to respond to and act on that breach.

It is important that the response team has the authority to take the steps outlined in the response plan without needing to seek permission, as this will enable a faster response to the breach. The role of team leader should be carefully considered, as they should have sufficient ability and authority to effectively manage the various sections within the entity whose input is required and to report to senior management. It may be your senior member of staff with overall accountability for privacy, a senior lawyer (if you have an internal legal function) or another senior manager. If the breach is serious, it may be a senior executive.

Actions the response team should take

A data breach response plan should also set out (or refer to) the actions the response team is expected to take when a data breach is discovered. Part 3 of this Guide provides a general framework for responding to a data breach, and Part 4 outlines the requirements of the NDB scheme, which may apply to your entity if they have personal information security obligations under the Privacy Act.

The response team will need to consider what information needs to be reported to senior management and at what point. This reporting structure should form part of the plan.

The data breach response plan should outline how staff will record how they have become aware of a data breach and the actions taken in response. Keeping records on data breaches and suspected breaches will help you manage the breach and identify risks that could make a breach more likely to occur.

Other considerations

In developing your plan you could also consider:

  • when and how the response team could practice a response to a breach in order to test procedures and refine them
  • whether your plan for dealing with personal information data breaches could link into or be incorporated into already existing processes, such as a disaster recovery plan, a cyber security/ICT incident response plan, a crisis management plan or an existing data breach response plan involving other types of information (e.g. commercially confidential information)
  • whether senior management should be directly involved in the planning for dealing with data breaches and in responding to serious data breaches
  • any reporting obligations under laws other than the Privacy Act or to other entities
  • whether you have an insurance policy for data breaches that includes steps you must follow

Data breach response plan quick checklist

Use this list to check whether your response plan addresses relevant issues.

Information to be includedYes/NoComments
What a data breach is and how staff can identify one    
Clear escalation procedures and reporting lines for suspected data breaches    
Members of the data breach response team, including roles, reporting lines and responsibilities    
Details of any external expertise that should be engaged in particular circumstances    
How the plan will apply to various types of data breaches and varying risk profiles with consideration of possible remedial actions    
An approach for conducting assessments    
Processes that outline when and how individuals are notified    
Circumstances in which law enforcement, regulators (such as the OAIC), or other entities may need to be contacted    
Processes for responding to incidents that involve another entity    
A record-keeping policy to ensure that breaches are documented    
Requirements under agreements with third parties such as insurance policies or service agreements    
A strategy identifying and addressing any weaknesses in data handling that contributed to the breach    
Regular reviewing and testing of the plan    
A system for a post-breach review and assessment of the data breach response and the effectiveness of the data breach response plan    

Footnotes

[9] An APP entity is required under s 15 not to do an act, or engage in a practice, that breaches APP 11.1; a credit reporting body is required to comply with s 20Q in relation to credit reporting information; a credit provider is required to comply with s 21S(1) in relation to credit eligibility information; a file number recipient is required under s 18 not to do an act, or engage in a practice, that breaches the Privacy (Tax File Number) Rule 2015.

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au