Data breach response plan

A data breach occurs when personal information is lost or subjected to unauthorised access or disclosure. For good privacy practice purposes, this response plan also covers any instances of unauthorised use, modification or interference with personal information held by the Vendorati. Data breaches canffect different types of personal information and give rise to a range of actual or potential harms to individuals and entities.

This response plan is intended to enable Vendorati to contain, assess and respond to data breaches quickly, to help mitigate potential harm to affected individuals and to comply with the notifiable data breaches (NDB) scheme. Our actions in the first 24 hours after discovering a data breach are crucial to the success of our response.

The plan sets out contact details for the appropriate staff in the event of a data breach, clarifies the roles and responsibilities of staff, and documents processes to assist Vendorati to respond to a data breach.

Data breach response team — members

Chief Technology Office – Florin Miu

When should a data breach be escalated to Vendorati data breach response team?

Some data breaches may be comparatively minor, and able to be dealt with easily without action from the data breach response team (response team).

For example, an CTO may, as a result of human error, send an email containing personal information to the wrong recipient. Depending on the sensitivity of the contents of the email, if the email can be successfully recalled (only relates to internal emails), or if the officer can contact the recipient and obtain an assurance that the recipient has deleted the email, it may be that there is no utility in escalating the issue to the response team.

Members of the Vendorati team should use their discretion in determining whether a data breach or suspected data breach requires escalation to the response team. In making that determination, team members should consider the following questions:

  • Are multiple individuals affected by the breach or suspected breach?
  • Is there (or may there be) a real risk of serious harm to any of the affected individual(s)?
  • Does the breach or suspected breach indicate a systemic problem in Vendorati processes or procedures?
  • Could there be media or stakeholder attention as a result of the breach or suspected breach?

If the answer to any of these questions is ‘yes’, then that person should attempt immediate verbal contact with the CTO.

The checklist below sets out the steps that the response team will take in the event of a serious data breach.

Employees should inform the CTO of minor breaches

If an employee decides not to escalate a minor data breach or suspected data breach to the response team for further action, the employee should:

  • send a brief email to the CTO that contains the following information:
    • description of the breach or suspected breach
    • action taken by the employee to address the breach or suspected breach
    • the outcome of that action, and
    • the employee’s reasons for their view that no further action is required
  • save of copy of that email in the following folder:
    • Data Breach Response – reports and investigation of data breaches within Vendorati

Data breach response process

There is no single method of responding to a data breach. Data breaches must be dealt with on a case-by-case basis, by undertaking an assessment of the risks involved, and using that risk assessment to decide the appropriate course of action. Depending on the nature of the breach, the response team may need to include additional staff or external experts, for example an IT specialist/data forensics expert or a human resources adviser.

There are four key steps to consider when responding to a breach or suspected breach.

  • Step 1: Contain the breach
  • Step 2: Assess the risks associated with the breach
  • Step 3: Consider breach notification
  • Step 4: Review the incident and take action to prevent future breaches

The response team should ideally undertake steps 1, 2 and 3 either simultaneously or in quick succession. At all times, the response team should consider whether remedial action can be taken to reduce any potential harm to individuals.

Depending on the breach, not all steps may be necessary, or some steps may be combined. In some cases, it may be appropriate to take additional steps that are specific to the nature of the breach.

Following serious data breaches, the response team should conduct a post-breach review to assess Vendorati’s response to the breach and the effectiveness of this plan. The post-breach review report should identify any weaknesses in this response plan and include recommendations for revisions or staff training as needed.

Testing this plan

Members of the response team should test this plan with a hypothetical data breach annually to ensure that it is effective. As with the post-breach review following an actual data breach, the response team must report to the CEO on the outcome of the test and make any recommendations for improving the plan.

Records management

Documents created by the response team, including post-breach and testing reviews, should be saved in the following folder:

  • Data Breach Response – reports and investigation of data breaches within Vendorati

Reporting

Vendorati’s privacy management plan states that the internal handling of personal information will be an agenda item on the Executive group meetings at least once a year and include a report of any privacy complaints against the company and internal data breaches.