Cyber Security

Responding to Data Breaches

Data breaches can be caused or exacerbated by a variety of factors, affect different types of personal information and give rise to actual or potential harms to individuals, agencies and organisations. Each breach will be dealt with on a case-by-case basis, undertaking an assessment of the risks involved and using that assessment as the basis for deciding what actions to take.

Key steps in responding to a breach

Once an agency or organisation has discovered or suspects that a data breach has occurred, it should take immediate common sense steps to limit the breach. These may include the following:

1. Contain the breach

Take whatever steps possible to immediately contain the breach.

For example, stop the unauthorised practice, recover the records, or shut down the system that was breached. If it is not practical to shut down the system, or if it would result in loss of evidence, then revoke or change computer access privileges or address weaknesses in physical or electronic security.

Assess whether steps can be taken to mitigate the harm an individual may suffer as a result of a breach.

For example, if it is detected that a customer’s bank account has been compromised, can the affected account be immediately frozen and the funds transferred to a new account?

2. Initiate a preliminary assessment

Move quickly to appoint someone to lead the initial assessment. This person should have sufficient authority to conduct the initial investigation, gather any necessary information and make initial recommendations. If necessary, a more detailed evaluation may subsequently be required. Determine whether there is a need to assemble a team that could include representatives from appropriate parts of the agency or organisation.

Consider the following preliminary questions:

  • What personal information does the breach involve?
  • What was the cause of the breach?
  • What is the extent of the breach?
  • What are the harms (to affected individuals) that could potentially be caused by the breach?
  • How can the breach be contained?

3. Consider who needs to be notified immediately

Determine who needs to be made aware of the breach (internally and potentially externally) at this preliminary stage. In some cases, it may be appropriate to notify the affected individuals immediately (for example, where there is a high level of risk of serious harm to affected individuals). Escalate the matter internally as appropriate, including informing the person or group within the agency or organisation responsible for privacy compliance.

It may also be appropriate to report such breaches to relevant internal investigation units. If the breach appears to involve theft or other criminal activity, it will generally be appropriate to notify the police. If the data breach is likely to involve a real risk of serious harm to individuals, or receive a high level of media attention, inform the OAIC. The OAIC may be able to provide guidance and assistance.

4. Other matters

Where a law enforcement agency is investigating the data breach, consult the investigating agency before making details of the breach public. Be careful not to destroy evidence that may be valuable in determining the cause or would allow the agency or organisation to take appropriate corrective action. Ensure appropriate records of the suspected breach are maintained, including the steps taken to rectify the situation and the decisions made.