Key steps in responding to a breach
Once an agency or organisation has discovered or suspects that a data breach has occurred, it should take immediate common sense steps to limit the breach. These may include the following:
Once an agency or organisation has discovered or suspects that a data breach has occurred, it should take immediate common sense steps to limit the breach. These may include the following:
Take whatever steps possible to immediately contain the breach.
For example, stop the unauthorised practice, recover the records, or shut down the system that was breached. If it is not practical to shut down the system, or if it would result in loss of evidence, then revoke or change computer access privileges or address weaknesses in physical or electronic security.
Assess whether steps can be taken to mitigate the harm an individual may suffer as a result of a breach.
For example, if it is detected that a customer’s bank account has been compromised, can the affected account be immediately frozen and the funds transferred to a new account?
Move quickly to appoint someone to lead the initial assessment. This person should have sufficient authority to conduct the initial investigation, gather any necessary information and make initial recommendations. If necessary, a more detailed evaluation may subsequently be required. Determine whether there is a need to assemble a team that could include representatives from appropriate parts of the agency or organisation.
Consider the following preliminary questions:
Determine who needs to be made aware of the breach (internally and potentially externally) at this preliminary stage. In some cases, it may be appropriate to notify the affected individuals immediately (for example, where there is a high level of risk of serious harm to affected individuals). Escalate the matter internally as appropriate, including informing the person or group within the agency or organisation responsible for privacy compliance.
It may also be appropriate to report such breaches to relevant internal investigation units. If the breach appears to involve theft or other criminal activity, it will generally be appropriate to notify the police. If the data breach is likely to involve a real risk of serious harm to individuals, or receive a high level of media attention, inform the OAIC. The OAIC may be able to provide guidance and assistance.
Where a law enforcement agency is investigating the data breach, consult the investigating agency before making details of the breach public. Be careful not to destroy evidence that may be valuable in determining the cause or would allow the agency or organisation to take appropriate corrective action. Ensure appropriate records of the suspected breach are maintained, including the steps taken to rectify the situation and the decisions made.
Discover how Qbit can satisfy your business’ IT requirements