Data Breach Response Plan
This Data Breach Response Plan (Response Plan) sets out the procedure to be followed by staff within the 3 Moments Group of Companies (“3 Moments Group”) in the event we experience a data breach, or suspect that a data breach has occurred.
Privacy is governed by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (“privacy legislation”).
Data Breach Notification Requirements
3 Moments Group will be required to provide notice as soon as practicable to the Office of the Australian Information Commissioner (“OAIC”) and affected individuals where there are reasonable grounds to believe that an “eligible data breach” has occurred.
A data breach will arise where there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals, or where such information is lost in circumstances that are likely to give rise to unauthorised access or unauthorised disclosure (for example, giving the information to the wrong person).
“Personal information”, which is any information that allows an individual to be personally identified.
An eligible data breach will arise where a “reasonable person” would conclude that there is a likely risk of “serious harm” to any of the affected individuals as a result of the unauthorised access or unauthorised disclosure. Although serious harm is not defined, it is likely to include serious physical, psychological, emotional, economic and financial harm, and even serious harm to reputation.
Serious harm will be likely if the harm is “more probable than not” having regard to a list of relevant matters set out in the privacy legislation. These matters include the sensitivity of the information, any security measures taken, such as encryption, and how easily those security measures could be overcome. 3 Moments Group is then obliged to:
- Prepare a statement containing certain prescribed information about the data breach and provide it to the OAIC; and
- Take steps to notify the affected individuals.
The steps required will depend upon the circumstances, however will usually include sending the statement to the individual via usual means of communication (this is, what is usual between the 3 Moments Group and the individual).
If 3 Moments Group has reasonable grounds to suspect an eligible data breach has occurred, then 3 Moments will be required to complete a “reasonable and expeditious” assessment into the relevant circumstances within 30 days.
Adherence with this Response Plan will ensure the 3 Moments Group can contain, assess and respond to data breaches in a timely fashion in order to mitigate potential harm to affected persons. This plan:
- Sets out the roles and responsibilities of staff;
- Sets out the contact details of appropriate staff in the event of a data breach; and
- Outlines the procedure to be followed in the event of a data breach.
If a 3 Moments Group Staff member becomes aware of a suspected privacy data breach, the 3 Moments Staff Member must immediately:
- Notify senior management of the suspected data breach.
- Record and advise senior management of the time and date the suspected breach was discovered, the type of information involved, the cause and extent of the breach, and the context of the affected information and the breach.
Senior management must then assess and determine whether a data breach has occurred.
If senior management has any suspicion that a breach has occurred, the director must immediately notify 3 Moments Group managing director.
Where a minor breach is dealt with, the following details must be recorded:
- Description of the breach or suspected breach;
- Action taken by the director or 3 Moments Group staff member to address the breach or suspected breach;
- Outcome of that action;
- Sign off from senior management that no further action is required; and
- Confirmation that the incident has been recorded in the 3 Moments Group Data breach incident log.
If the breach is serious, it must immediately be escalated to the managing director.
Data Breach Response
Once a matter has been escalated to the managing director, the process outlined below must be followed.
Each breach will need to be dealt with on a case-by-case basis, undertaking an assessment of the risks involved and using that risk assessment as the basis for deciding what actions to take in the circumstances.
Steps to Respond
There are four key steps to consider when responding to a breach or suspected breach.
Containment & Assessment
Evaluation of Risks
Review & Re-evaluate
Generally, steps 1-3 should be carried out concurrently or in close succession.
1 Contain the breach
Once a data breach has been identified, action must be taken to immediately contain it. For example, stop the unauthorised practice, recover the records or shut down the system that was breached.
- Initiate a preliminary assessment
Move quickly to appoint someone to lead the initial investigation. This person must be suitably qualified and have sufficient authority to conduct the initial investigation.
Generally, this will be the person most suitably qualified to carry out the initial investigation.
In some situations, it will be necessary to assemble a team that includes representatives from appropriate areas of the 3 Moments Group to conduct the preliminary assessment.
The following questions should be addressed when making the preliminary assessment:
- What information does the breach involve?
- What was the cause of the breach?
- What is the extent of the breach?
- What are the harms (to affected persons) that could potentially be caused by the breach?
- How can the breach be contained?
- Evaluate the risks associated with the breach
The following factors are relevant when assessing the risk:
- The type of information involved
- Is it personal information or protected 3 Moments Group information?
- Does the type of information that has been compromised create a greater risk of harm?
- Who is affected by the breach?
- Determine the context of the affected information and the breach
- What is the context of the information involved?
- What parties have gained unauthorised access to the affected information?
- Have there been other breaches that could have a cumulative effect?
- How could the information be used?
- Establish the cause and extent of the breach
- Is there a risk of ongoing breaches or further exposure of the information?
- Is there evidence of theft?
- Is the information adequately encrypted, anonymised or otherwise not accessible?
- What was the source of the breach? (risk of harm may be lower where source of the breach is accidental rather than intentional)
- Has the information been recovered?
- What steps have already been taken to mitigate the harm?
- Is this a systemic problem or an isolated incident?
- How many persons are affected by the breach?
- Assess the risk of harm to the affected persons
- Who is the recipient of the information?
- What harm to persons could result from the breach?
- Assess the risk of other harms
- Other possible harms, including to the agency or organisation that suffered the breach. For example:
- The loss of public trust in the agency
- Reputational damage
- Legal liability
- Breach of secrecy provisions
A thorough evaluation of the risks will assist the 3 Moments Group in determining the appropriate course of action to take.
- Deciding whether to notify affected individuals or entities
In general, if a data breach creates a real risk of serious harm to a person, the
affected person should be notified.
The key consideration is whether notification is necessary to avoid or mitigate serious harm to an affected person.
The following factors should be considered:
- What is the risk of serious harm to the person as determined by step 2?
- What is the ability of the person to avoid or mitigate possible harm if notified of a breach (in addition to steps taken by the agency or organisation)?
- Even if the person would not be able to take steps to fix the situation, is the information that has been compromised sensitive or likely to cause humiliation or embarrassment?
- What are the legal and contractual obligations to notify and what are the consequences of notification?
- Notification process
In general, notification should occur as soon as reasonably possible. However, in some instances, delay may be necessary.
Notification should be direct – by phone, letter, email or in person, to the affected individuals.
Indirect notification, either by website, posted notices or media should only occur where direct notification could cause further harm, is cost prohibitive or the contact information for affected persons is unknown.
- Details to include in the notification
The content of the notification will vary depending on the particular breach and notification method. However, the OAIC recommend that notifications should include the following information:
- incident description;
- type of information involved;
- response to the breach;
- assistance offered to affected persons;
- other information sources designed to assist in protecting against identity theft or interferences with privacy (e.g. www.oaic.gov.au);
- the 3 Moments Group’s contact details;
- whether breach notified to regulator or other external contact(s);
- legal implications (e.g. the secrecy provisions);
- how individuals can lodge a complaint with the 3 Moments; and
- how individuals can lodge a complaint with the OAIC (where the information is personal information).
- Other notifications
It may also be appropriate to notify other third parties, such as the OAIC, the police, insurance providers, credit card companies, financial institutions, professional or other regulatory bodies, other internal or external parties who have not already been notified or agencies that have a direct relationship with the information lost/stolen.
4 Prevent future breaches.
Once immediate steps have been taken to mitigate the risks associated with a breach, 3 Moments Group managing director must take the time to investigate the cause of the breach.
The 3 Moments Group managing director must be briefed on the outcome of the investigation, including recommendations:
- to make appropriate changes to policies and procedures if necessary;
- revise staff training practices if necessary; and
- update this Data Breach Response Plan if necessary.