Responding to data breaches: four key steps

Data breaches can be caused or exacerbated by a variety of factors, affect different types of
personal information and give rise to a range of actual or potential harms to individuals, agencies
and organisations.

As such, there is no single way of responding to a data breach. Each breach will need to be dealt
with on a case-by-case basis, undertaking an assessment of the risks involved, and using that risk
assessment as the basis for deciding what actions to take in the circumstances.

There are four key steps to consider when responding to a breach or suspected breach:

 Step 1: Contain the breach and do a preliminary assessment

 Step 2: Evaluate the risks associated with the breach
 Step 3: Notification
 Step 4: Prevent future breaches

 
DATA BREACH OCCURS
Personal information is lost or subjected to unauthorized access, modification, use or
disclosure, or other misuse or interference.
 

KEY STEPS IN RESPONDING TO A DATA BREACH

 Take immediate steps to contain

breach
Step Contain the breach and make a
 Designate person/team to coordinate
1 preliminary assessment
response

 Consider what personal information is

involved
 Determine whether the context of the
Step Evaluate the risks for individuals information is important
2 associated with the breach  Establish the cause and extent of the
breach
 Identify what is the risk of harm

 Risk analysis on a case-by-case basis

Step  Not all breaches necessarily warrant
Consider breach notification
3 notification
 SHOULD AFFECTED INDIVIDUALS BE NOTIFIED?

Process of Notification
Where there is a real risk of serious harm,
 When? - as soon as possible
notification may enable individuals to take steps
to avoid or mitigate harm. Consider:  How? - direct contact preferred
(mail/phone)
 Who? - entity with the direct
 Legal/contractual obligations to notify
relationship with the affected
 Risk of harm to individuals (identity
individual
crime, physical harm, humiliation,
 What? - description of breach, type
damage to reputation, loss of business or
of personal information involved,
employment opportunities
steps to help mitigate, contact details
for information and assistance.

SHOULD OTHERS BE NOTIFIED?

 Fully investigate the cause of the

breach
 Consider developing a prevention
plan
 Option of audit to ensure plan
Step Review the incident andtake action to
implemented
4 prevent future breaches
 Update security/ response plan
 Make appropriate changes to
policies and procedures
 Revise staff training practices

Step 1: Contain the breach and do a preliminary assessment

Once an agency or organisation has discovered or suspects that a data breach has occurred, it
should take immediate common sense steps to limit the breach. These may include the following:

Contain the breach

Take whatever steps possible to immediately contain the breach.

For example, stop the unauthorised practice, recover the records, or shut down the system that
was breached. If it is not practical to shut down the system, or if it would result in loss of
evidence, then revoke or change computer access privileges or address weaknesses in physical or
electronic security.

Assess whether steps can be taken to mitigate the harm an individual may suffer as a result of a
breach.

For example, if it is detected that a customer’s bank account has been compromised, can the
affected account be immediately frozen and the funds transferred to a new account?

Initiate a preliminary assessment

Move quickly to appoint someone to lead the initial assessment. This person should have
sufficient authority to conduct the initial investigation, gather any necessary information and
make initial recommendations. If necessary, a more detailed evaluation may subsequently be
required.

Determine whether there is a need to assemble a team that could include representatives from
appropriate parts of the agency or organisation.

Consider the following preliminary questions:

 What personal information does the breach involve?

 What was the cause of the breach?
 What is the extent of the breach?
 What are the harms (to affected individuals) that could potentially be caused by the
breach?
 How can the breach be contained?

Consider who needs to be notified immediately

Determine who needs to be made aware of the breach (internally, and potentially externally) at
this preliminary stage.

In some cases it may be appropriate to notify the affected individuals immediately (for example,
where there is a high level of risk of serious harm to affected individuals).

Escalate the matter internally as appropriate, including informing the person or group within the
agency or organisation responsible for privacy compliance.

It may also be appropriate to report such breaches to relevant internal investigation units.
If the breach appears to involve theft or other criminal activity, it will generally be appropriate to
notify the police.

If the data breach is likely to involve a real risk of serious harm to individuals, or receive a high
level of media attention, inform the OAIC. The OAIC may be able to provide guidance and
assistance.

Other matters

Where a law enforcement agency is investigating the breach, consult the investigating agency
before making details of the breach public.

Be careful not to destroy evidence that may be valuable in determining the cause or would allow
the agency or organisation to take appropriate corrective action.

Ensure appropriate records of the suspected breach are maintained, including the steps taken to
rectify the situation and the decisions made.

Step 2: Evaluate the risks associated with the breach

To determine what other steps are immediately necessary, agencies and organisations should
assess the risks associated with the breach.

Consider the following factors in assessing the risks:

 The type of personal information involved.

 The context of the affected information and the breach.
 The cause and extent of the breach.
 The risk of serious harm to the affected individuals.
 The risk of other harms.

Step 3: Notification
Agencies and organisations should consider the particular circumstances of the breach, and:

 decide whether to notify affected individuals, and, if so

 consider when and how notification should occur, who should make the notification, and
who should be notified
 consider what information should be included in the notification, and
 consider who else (other than the affected individuals) should be notified.
 

Notification can be an important mitigation strategy that has the potential to benefit both the
agency or organisation and the individuals affected by a data breach. The challenge is to
determine when notification is appropriate. While notification is an important mitigation
strategy, it will not always be an appropriate response to a breach. Providing notification about
low risk breaches can cause undue anxiety and de-sensitise individuals to notice. Each incident
needs to be considered on a case-by-case basis to determine whether breach notification is
required.

In general, if a data breach creates a real risk of serious harm to the individual, the affected
individuals should be notified.

Prompt notification to individuals in these cases can help them mitigate the damage by taking
steps to protect themselves. Agencies and organisations should:

 take into account the ability of the individual to take specific steps to mitigate any such
harm, and
 consider whether it is appropriate to inform other third parties such as the OAIC, the
police, or other regulators or professional bodies about the data breach.

How else should be notified? 

 Police — If theft or other crime is suspected. The Australian Federal Police should also
be contacted if the breach may constitute a threat to national security.
 Insurers or others — If required by contractual obligations.
 Credit card companies, financial institutions or credit reporting agencies — If their
assistance is necessary for contacting individuals or assisting with mitigating harm.

Step 4: Prevent future breaches

Once the immediate steps are taken to mitigate the risks associated with the breach, agencies and
organisations need to take the time to investigate the cause and consider whether to review the
existing prevention plan or, if there is no plan in place, develop one.

A prevention plan should suggest actions that are proportionate to the significance of the breach,
and whether it was a systemic breach or an isolated event.

This plan may include:

 a security audit of both physical and technical security

  a review of policies and procedures and any changes to reflect the lessons learned from
the investigation, and regular reviews after that (for example, security, record retention
and collection policies)
 a review of employee selection and training practices, and
 a review of service delivery partners (for example, offsite data storage providers).

The plan may include a requirement for an audit at the end of the process to ensure that the
prevention plan has been fully implemented.

Suggested preparations for responding to a data breach include the following:

 Develop a breach response plan

While the aim should be to prevent breaches, having a breach response plan may assist in
ensuring a quick response to breaches, and greater potential for mitigating harm.

The plan could set out contact details for appropriate staff to be notified, clarify the roles and
responsibilities of staff, and document processes which will assist the agency or organisation to
contain breaches, coordinate investigations and breach notifications, and cooperate with external
investigations.

 Establish a breach response team

Depending on the size of the agency or organisation, consider establishing a management team
responsible for responding to personal information breaches. The team could include
representatives from relevant areas that may be needed to investigate an incident, conduct risk
assessments and make appropriate decisions (for example, privacy, senior management, IT,
public affairs, legal).

The team could convene periodically to review the breach response plan, discuss new risks and
practices, or consider incidents that have occurred in other agencies or organisations.

It may also be helpful to conduct ‘scenario’ training with team members to allow them to
develop a feel for an actual breach response. Key issues to test in such training would be
identifying when notification is an appropriate response, and the timing of that notification.

 Identify relevant service providers

Consider researching and identifying external service providers that could assist in the event of a
data breach, such as forensics firms, public relations firms, call center providers and notification
delivery services. The contact details of the service providers could be set out in the breach
response plan. This could save time and assist in responding efficiently and effectively to a data
breach.

 Enhance internal communication and training

Ensure staff have been trained to respond to data breaches effectively, and are aware of the
relevant policies and procedures. Staff should understand how to identify and report a potential
data breach to the appropriate manager(s).

 Enhance transparency

Include information in the agency or organisation’s privacy policy about how it responds to
breaches. This could include letting individuals know when and how they are likely to be
notified in the event of a breach, and whether the agency or organisation would ask them to
verify any contact details or other information.

This would make clear to individuals how their personal contact information is used in the event
of a breach, and may also assist individuals to avoid ‘phishing’ scam emails involving fake
breach notifications and requests that recipients verify their account details, passwords and other
personal information