Babeltext Pty Ltd – May 2023
Step 1: Contain
Once a data breach has been discovered or a suspected data breach has occurred, action will be taken to limit the breach. For example, stop the unauthorised practice, recover the records, or shut down the system that was breached. If it is not practical to shut down the system, or if it would result in loss of evidence, we then revoke or change computer access privileges or address weaknesses in physical or electronic security.
Addressing the following questions may help identify strategies to contain a data breach:
- How did the data breach occur?
- Is the personal information still being shared, disclosed, or lost without authorisation?
- Who has access to personal information?
- What can be done to secure the information, or stop the unauthorised access or disclosure, and reduce the risk of harm to affected individuals?
Step 2: Assess
An assessment of the data breach can help an entity understand the risks posed by a data breach and how these risks can be addressed. It should be conducted as expeditiously as possible.
Gather and evaluate as much information about the data breach as possible. By creating a complete picture of the data breach, an entity can ensure they understand the risk of harm to affected individuals and identify and take all appropriate steps to limit the impact of a data breach.
This assessment should also assist entities in deciding whether affected individuals must be notified. In your assessment of a data breach, consider:
- the type or types of personal information involved in the data breach
- the circumstances of the data breach, including its cause and extent
- the nature of the harm to affected individuals and if this harm can be removed through remedial action.
All entities should consider whether remedial action can be taken to reduce any potential harm to individuals. This might also take place during Step 1: Contain, such as by recovering lost information before it is accessed.
Step 3: Notify
Notification can be an important mitigation strategy that has the potential to benefit both the entity and the individuals affected by a data breach. The challenge is to determine when notification is appropriate. Sometimes, notifying individuals can cause undue stress or harm. For example, notifying individuals about a data breach that poses very little or no risk of harm can cause unnecessary anxiety. It can also de-sensitise individuals so they don’t take a notification seriously, even when serious harm is involved. Each incident needs to be considered on a case-by-case basis to determine whether breach notification is required.
- other circumstances in which individuals should be notified.
- how notification should occur, including:
- what information is provided in the notification?
- how the notification will be provided to individuals
- who is responsible for notifying individuals and creating the notification?
- where a law enforcement agency is investigating the breach, it may be appropriate to consult the investigating agency before making details of the breach public
- whether the incident triggers reporting obligations to other entities. Effective data breach response is about reducing or removing harm to affected individuals while protecting the interests of your organisation or agency. A notification has the practical benefit of providing individuals with the opportunity to take steps to protect their personal information following a data breach, such as by changing account passwords or being alert to possible scams resulting from the breach. It is important that staff are capable of engaging with individuals who have been affected by a data breach with sensitivity and compassion in order not to exacerbate or cause further harm. Notification can also help build trust in an entity by demonstrating that privacy protection is taken seriously.
Step 4: Review
Once steps 1 to 3 have been completed, an entity should review and learn from the data breach incident to improve its personal information handling practices.
This might involve:
- a security review, including a root cause analysis of the data breach preparation and response.
- a prevention plan to prevent similar incidents in future.
- audits to ensure the prevention plan is implemented.
- a review of policies and procedures and changes to reflect the lessons learned from the review.
- changes to employee selection and training practices
- a review of service delivery partners that were involved in the breach.
- In reviewing information management and data breach response.
When reviewing a data breach incident, it is important to use the lessons learned to strengthen the entity’s personal information security and handling practices and reduce reoccurrence. A data breach should be considered alongside any similar breaches that have occurred in the past, which could indicate a systemic issue with policies or procedures.
If any updates are made following a review, staff should be trained in any changes to relevant policies and procedures to ensure a quick response to a data breach.