Purpose
This data breach response procedure sets out the procedures that Box of Books staff must follow if Box of Books experiences an actual or suspected data breach. It explains key responsibilities and actions to be taken.
These procedures will help staff contain, assess and respond to data breaches quickly and in a way that mitigates harm to affected individuals. It will also help Box of Books to meets its obligations under the Notifiable Data Breaches (NDB) scheme and give confidence to employees and customers that Box of Books treats their personal information seriously, and will respond promptly and quickly to protect it.
Background
The NDB scheme came into effect on 22 February 2018. It applies to all agencies and organisations covered by the Privacy Act 1988, which includes Box of Books. Under the scheme, Box of Books must notify individuals whose personal information is involved in certain data breaches, and the Australian Information Commissioner, about the breach.
Procedures
1 What is a data breach?
A data breach occurs when there has been unauthorised access to, or unauthorised disclosure of, personal information or a loss of personal information.
Unauthorised access occurs when personal information is accessed by someone who is not permitted to do so. This includes access by an employee, independent contractor, or an external third party such as a hacker.
Examples: An employee browses sensitive customer records without legitimate reason. Personal information is accessed in an external IT attack.
Unauthorised disclosure involves personal information being made available (intentionally or unintentionally) to others outside Box of Books.
Example: A person accidentally emails a spreadsheet containing credit card details to the wrong recipient in another organisation.
Loss of personal information is the loss of personal information, where that information can be accessed or disclosed.
Examples: An unencrypted USB stick containing a spreadsheet of personal information is left on public transport. Hard copy employee records are found in an unsecured bin at a public waste facility.
2 Which data breaches must be notified?
The NDB scheme establishes a notification scheme for data breaches that are likely to result in serious harm. Under the scheme, individuals whose personal information is involved in such data breaches must be notified of the breach and the steps taken in response to the breach. The Australian Information Commissioner must also be notified of the data breach.
If Box of Books has responded quickly to the breach, and as a result of this action the data breach is not likely to result in serious harm, there is no need to notify individuals or the Australian Information Commissioner. However, Box of Books may decide to tell individuals about the incident if it is considered appropriate.
3 What does ‘likely to result in serious harm’ mean?
An assessment must be made of whether a data breach is likely to result in serious harm to any of the individuals to whom the information relates. Although ‘serious harm’ is not defined in the Privacy Act, it would encompass serious physical, psychological, emotional, financial or reputational harm. The risk of serious harm should be assessed by considering both the likelihood of the harm occurring and the consequences of the harm. Some of the factors that should be considered are:
(i) The type of personal information involved in the data breach
Some personal information is more sensitive than other information and could lead to serious ramifications for individuals if accessed. Information about a person’s health, documents commonly used for identity fraud (for example Medicare card, driver’s licence) or financial information are examples of information that could be misused if the information falls into the wrong hands.
(ii) Circumstances of the data breach
The scale and size of the breach may be relevant in determining the likelihood of serious harm. The disclosure of information relating to a large number of individuals would normally lead to a higher risk of at least some of those people experiencing harm. The length of time that the information has been accessible is also relevant. Think about who may have gained unauthorised access to information, and what their intention was (if any) in obtaining such access. It may be that there was a specific intention to use the information in a negative or malicious way.
(iii) Nature of possible harm
Consider the broad range of potential harm that could follow from a data breach including:
identity theft
financial loss
threat to a person’s safety
loss of business or employment opportunities
damage to reputation (personal and professional)
4 Who decides if a data breach is likely to result in serious harm?
Only one of the following Box of Books representatives should make an assessment of whether there is a likelihood of serious harm in relation to a particular data breach:
Chief Technology Officer
Chief Operating Officer
Chief Executive Officer
Director
The Australian Information Commissioner has enforcement powers under Privacy Act including receiving complaints from individuals, conducting investigations and issuing directions to an agency.
Given these consequences of non-compliance with the NDB scheme, only Box of Books staff listed above are responsible for determining whether a data breach is likely to result in serious harm and should be notified under the scheme.
5 What to do if a data breach is suspected but not confirmed
The notification requirements apply where there are reasonable grounds for believing that a data breach has occurred.
If it is unclear whether a data breach has occurred, but there is a suspicion that there may have been a breach, staff need to act quickly. Once it is suspected that there may have been a breach, the Privacy Act requires that an assessment of the situation be made as soon as practicable (within 30 days) to determine if there has been a data breach requiring notification.
The assessment process should involve:
deciding whether an assessment is necessary and who should carry it out
quickly gathering relevant information about the suspected breach
deciding whether an eligible data breach has occurred and if so, following these procedures
Remember that steps can be taken to mitigate potential harm at any time. If remedial action is successful in preventing serious harm, notification is not required.
6 Who should the data breach be reported to?
Staff who initially become aware that a data breach has occurred, or suspect that one has occurred, must immediately inform their business unit manager. They should make a record of:
the time and date the breach was discovered or suspected
the type of personal information involved
the cause and extent of the breach
any other relevant information
If a data breach is suspected the relevant manager (or nominee) should conduct an assessment as referred to in paragraph 5.
If a data breach is known to have happened, the staff member and/or their business unite manager must advise the Chief Technology Officer and Chief Operating Officer as soon as practicable.
7 Remedial action
Action should be taken as soon as possible to contain a suspected or known breach. This involves taking immediate steps to limit any further access to or distribution of the information. Such action might involve recovering or locating lost information before it is accessed or changing controls on IT accounts.
There is no need to notify individuals or the Australian Information Commissioner of data breaches if Box of Books has taken remedial action, and as a result the data breach would not be likely to result in serious harm. Whether the remedial action is sufficient should be considered in the earliest stages of the data breach by Box of Books representative listed in paragraph 4, in consultation with the Privacy Contact Officer.
8 Establishing a data breach response team
A data breach response team should be established as soon as possible once it is determined that a data breach is likely to require notification of affected individuals.
The role of the response team is to:
take action to contain the breach
ensure evidence/information is collected and preserved
conduct an investigation to determine when and how the breach occurred, the type of information involved, the cause and extent of the breach, the individuals affected and the risk of serious harm
decide who needs to be made aware of the breach
decide whether to notify affected individuals, how the notification should occur and the contents of the notification and
report to the Executive on the outcome of the investigation and any recommendations
The Chief Operating Officer will coordinate the team’s response and advise the Executive and Board as required. If the Chief Operating Officer is unavailable the Chief Technology Officer or nominee will take on this role.
The composition of the response team will depend on the size, nature and complexity of the breach. Representatives of the business unit responsible for the personal information involved in the data breach would usually be a part of the response team.
9 Record keeping
Records of the data breach and the response team’s actions will be maintained by the company with appropriate security arrangements in place so that access to any documents containing personal information (including material detailing the subject matter of the breach) is restricted to those staff members who need to have access to the information.
10 How should notification occur?
Where serious harm is likely, the Chief Operating Officer will advise the Australian Information Commissioner of the type of breach, the information it relates to and recommended steps for individuals to minimise the risk of serious harm.
A similar notification must be provided to the affected individuals. There are three options for notifying individuals:
Notify all individuals whose personal information is affected
Notify only those individuals at risk of serious harm
If neither of the above are practicable, publish a statement on Box of Books’s website and further publicise it via other means, for example social media or media release
Deciding which option to use to notify individuals will depend on the time, effort and cost involved. If it is not possible to assess which particular individuals are at risk of serious harm, all individuals who are impacted by the breach should be notified.
Where the response team determines that only a subset of people are at risk of harm, it may be better to notify only those individuals to avoid causing unnecessary distress to individuals who are not at risk.
Individuals should be contacted using the method of communication normally used by Box of Books to communicate with them. Individuals can be notified by email, SMS, telephone call or letter. If contact details for the person are available, direct communication is appropriate. If contact details are not available then a message on
Box of Books’s website or via social medial channels may be the best way of notifying affected individuals.
The notification must include as a minimum the following:
the name and contact details of Box of Books
a description of the data breach including when it occurred, the circumstances of the breach, who may have accessed the information and the steps taken to contain the breach
the kinds of information concerned
recommendations about the practical steps (if any) that affected people should take in response to the breach
11 Review and follow up
The response team should review the incident and make recommendations about how to prevent future breaches. This may include updating policies or procedures, revising or conducting additional staff training or changing IT access controls. Where additional risks are discovered through a data breach, relevant policies or procedures (such as security risk management plans or threat risk assessments) should be updated to reflect the new risk or threat and potential mitigations.
Definition of terms
Data breach means unauthorised access to, or unauthorised disclosure of, personal information or a loss of personal information.
Notifiable data breach means a data breach that is likely to result in serious harm, which must be notified to affected individuals and the Australian Information Commissioner.
Personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
(a) whether the information or opinion is true or not, and
(b) whether the information or opinion is recorded in a material form or not
Definition of responsibilities
Australian Information Commissioner is responsible for receiving notifications of eligible data breaches, encouraging compliance with the NDB scheme, handling complaints, conducting investigations, and taking action in response to non-compliance. Privacy Contact Officer is responsible for maintaining these procedures.
The Privacy Contact Officer is also responsible for providing advice on privacy issues, acting as the point of contact for the Australian Information Commissioner and investigating privacy complaints.