This data breach response policy and plan (response plan) sets out procedures and clear lines of authority for Yoonet staff in the event that Yoonet experiences a data breach (or suspects that a data breach has occurred).
A data breach occurs when personal information is lost or subjected to unauthorised access or disclosure. For good privacy practice purposes, this response plan also covers any instances of unauthorised use, modification or interference with personal information held by Yoonet. Data breaches can be caused or exacerbated by a variety of factors, affect different types of personal information and give rise to a range of actual or potential harms to individuals and entities.
This response plan is intended to enable Yoonet to contain, assess and respond to data breaches quickly, to help mitigate potential harm to affected individuals and to comply with the notifiable data breaches (NDB) scheme that commenced on 22 February 2018. Our actions in the first 24 hours after discovering a data breach are crucial to the success of our response.
The plan sets out contact details for the appropriate staff in the event of a data breach, clarifies the roles and responsibilities of staff, and documents processes to assist Yoonet to respond to a data breach.
When should the Director undertake a full Data Breach Response Process?
The Director is to use discretion in deciding whether to undertake a full data response process. Some data breaches may be comparatively minor, and able to be dealt with easily without conducting a full-scale data response process.
For example, a Yoonet staff member may, as a result of human error, send an email containing personal information to the wrong recipient. Depending on the sensitivity of the contents of the email, if the email can be successfully recalled, or if the officer can contact the recipient and obtain an assurance that the recipient has deleted the email, it may be that there is no utility in escalating the issue further.
The Director should use his/her discretion in determining whether a data breach or suspected data breach requires escalation. In making that determination, Directors should consider the following questions:
- Are multiple individuals affected by the breach or suspected breach? Is there (or may there be) a real risk of serious harm to any of the affected individual(s)?
- Does the breach or suspected breach indicate a systemic problem in Yoonet processes or procedures?
- Could there be media or stakeholder attention as a result of the breach or suspected breach?
If the answer to any of these questions is ‘yes’, then the Director should immediately conduct the full Data Breach Response Process.
If a Director decides not to a full Data Breach Response Process for a minor data breach or suspected data breach, the Director should make a record in the Company’s electronic file including the following information:
- description of the breach or suspected breach
- what action was taken to address the breach or suspected breach
- the outcome of that action, and
- the Director’s reasons for their view that no further action is required
Data Breach Response Process
There is no single method of responding to a data breach. Data breaches must be dealt with on a case-by-case basis, by undertaking an assessment of the risks involved and using that risk assessment to decide the appropriate course of action. Depending on the nature of the breach, the Director may need to include additional staff or external experts, for example, an IT specialist/data forensics expert or a human resources adviser.
There are four key steps to consider when responding to a breach or suspected breach.
STEP 1: Contain the breach
STEP 2: Assess the risks associated with the breach
STEP 3: Consider breach notification
STEP 4: Review the incident and take action to prevent future breaches
The Director should ideally undertake steps 1, 2 and 3 either simultaneously or in quick succession. At all times, the Director should consider whether remedial action can be taken to reduce any potential harm to individuals.
The checklist below sets out the steps that the Directors will take in the event of a serious data breach.
Depending on the breach, not all steps may be necessary, or some steps may be combined. In some cases, it may be appropriate to take additional steps that are specific to the nature of the breach.
Following serious data breaches, the Director, with the assistance of selected staff or external experts, should conduct a post-breach review to assess the response to the breach and the effectiveness of this plan. The post-breach review report should identify any weaknesses in this response plan and include recommendations for revisions or staff training as needed.
Yoonet Data Breach Response Checklist
Step 1: Contain the breach
- Review the status of any databases or data stores and ensure that no ongoing breach is occurring
- Consider whether external expertise is required to assist
- Ensure evidence is preserved that may be valuable in determining the cause of the breach
- Consider a communications or media strategy to manage client for public expectations
Step 2: Assess the risks for individuals associated with the breach
- Conduct initial investigation, and collect information about the breach promptly, including:
- the date, time, duration, and location of the breach
- the type of personal information involved in the breach
- how the breach was discovered and by whom
- the cause and extent of the breach
- a list of the affected individuals, or possible affected individuals
- the risk of serious harm to the affected individuals
- the risk of other harms.
- Determine whether the context of the information is important.
- Establish the cause and extent of the breach.
- Assess priorities and risks based on what is known.
Step 3: Consider breach notification
- Determine who needs to be made aware of the breach (internally, and potentially externally) at this preliminary stage.
- Determine whether and how to notify affected individuals. Does the breach trigger the requirements of the NDB scheme – is the breach likely to result in serious harm to any of the individuals to whom the information relates and Yoonet has not been able to prevent the likely risk of serious harm through remedial action.
- Even if the NDB scheme threshold is not met would notifying the individuals be appropriate?
- Consider whether others should be notified, including police/law enforcement, or other agencies or organisations affected by the breach or can assist in containing the breach or assisting individuals affected by the breach
Step 4: Review the incident and take action to prevent future breaches
- Fully investigate the cause of the breach.
- Implement a strategy to identify and address any weaknesses in data handling that contributed to the breach
- Conduct a post-breach review and document any recommendations:
- Update security and response plan if necessary.
- Make appropriate changes to policies and procedures if necessary.
- Revise staff training practices if necessary.