Data breaches can be like the digital version of a home invasion. Someone breaks in and rifles through private and sensitive information, usually with the intention of stealing it, exploiting it, or because they think it’s fun. A breach could also be the result of innocently forgetting your unprotected laptop on the train!
A data breach might be any situation where personal information contained by an organisation has been lost, stolen, or accessed and/or disclosed without authorisation.
They can get pretty ugly and damaging to a business’s reputation, customers, staff, and the bottom line.
The steps you take after a data breach can make or break your business, so it’s important that you roll up your sleeves and get it right the first time to make sure you’re complying with government regulations, legislation, and handling things with care and swift action. And don’t forget to be a human. That’s a person’s personal details you’ve lost!
Step 1 – Contain the breach
Once you’re made aware of the data breach, you should treat it like a leaking ship; find the source and contain it as soon as possible before any more damage is done. This might mean shutting down a network, locking out users, or attempting to stop any more personal information leaking out to minimise harm while you work on the overall solution.
Step 2 – Find out what was stolen
‘Data’ could mean a bunch of things. Those ones and zeros could be someone’s identity, credit card details, or an organisation’s database of users. Each type of data comes with its own level of risk to the individual and organisation. It might be relatively harmless and easily replaced, or it might be extremely sensitive and devastating in the hands of a criminal.
Find out what data has been compromised and what level of risk it carries for those involved.
Step 3 – Assess the potential harm
You’ve contained the leak, you know what’s been compromised, now you need to assess the situation and determine whether the breach is likely to result in harm to the individuals affected. This is where the Australian Government’s ‘Notifiable Data Breaches scheme’ (NDB) comes in.
The NBD requires organisations that fit a certain criterion to notify the Office of the Australian Information Commissioner (OAIC) along with the individuals that may be affected by the breach. Hot tip: there’s a handy form on their website for this!
Step 3 – Notify
Notifying the OAIC
You’ve found the data breach is likely to result in harm to those affected. Now it’s time to notify the big guns. Your statement to the OAIC needs to outline:
- Your business’s contact details
- A full description of the breach (how it happened and the steps you’ve taken since)
- What kind of information has been compromised; and
- What the recommended steps are for the individuals affected
Notifying the individuals affected
Individuals take their data security seriously. They place their trust in organisations to do the right thing and come clean when their information has been compromised. An organisation’s approach can vary between ‘need-to-know’ where only the directly affected individuals are notified, a blanket approach where all individuals are notified, or a completely transparent approach where details of the data breach are publicised.
Whichever course of action you take, notifying affected individuals is required in order to comply with regulations, but it’s also a responsible step to maintain your reputation, trust, and integrity as a business!
Step 5 – Review and take action
Reviewing your data breach boils down to two simple questions; how did it happen and what can you do to make sure it doesn’t happen again.
Conducting a full review and developing an action plan may involve:
- Investigating the data breach and determine the cause
- Developing a plan to put preventative measures in place
- Tightening securityaround your data collection and storage; and
- Keeping your staff in the loop by updating policies, procedures, and training
Data breaches are a looming threat over businesses that don’t have a tight lock on security and IT systems and procedures. Have a chat to us about how we can help you build a Fort Knox around your data.