Married Hacked at first sight: Dating tips for your data breach response plan
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Cyber Security
Married Hacked
at first sight:
Dating tips for your data
breach response plan
You left your laptop at the pub and it. But we know what it feels like if our
By Ledlin Lawyers*
it has a copy of your organisation’s own privacy is breached.
debtor ledger and customer list on it With the commencement of the
– should you be worried? Privacy Amendment (Notifiable Data
Your phone goes missing. It Breaches) Act 2017 (Cth) (“Privacy
is unlocked and can be used to Act”) on 22 February 2018, not only
access the servers at work – is that a is there an obligation on businesses
problem? to notify the regulator (the OAIC)
One of your staff opens an email about a “serious data breach” but also
attachment seemingly giving details a requirement to have a Data Breach
of an ATO tax refund – ransomware Response Plan.
has been installed and you are locked Credit Professionals who deal
out. What should you do? in risk management daily will know
privacy is yet another area of business
Notifiable Data Breaches where their risk management skills
(“NDB”) can come into their own. Protecting
When we talk about “privacy”, it is an the assets of the business is a core
intangible concept for most of us; we responsibility for credit managers. The
can’t see it, touch it, smell it, or hear requirement for an NDB Response
Terry Ledlin Natalie Ledlin Holly Jackson
46 CREDIT MANAGEMENT IN AUSTRALIA • March 2018
Cyber Security
2. Don’t assume whether it’s a real
data breach or not – always assess
any data breach;
3. Don’t omit important people or
information from the notification;
4. Don’t skip the review or its
documentation;
5. Don’t destroy evidence that may
be valuable in identifying the
cause of the breach.
Takeaway points
There are a number of key points that
you can take from this article back to
your team and business:
1. You need a plan setting out how to
deal with any data breach.
2. Think of it like a fire drill – have a
team organised and practice your
proposed response regularly.
3. Don’t forget your suppliers –
in this cloud-based world your
Plan is an ideal opportunity for credit zz Have your notification obligations data could be held anywhere.
managers to shine. been triggered? APP 11 provides that where an
zz If required, conduct a formal entity “holds data” it means that
The Do’s assessment within 30 days. the entity has “possession or
If there has been an “eligible data 3. Notify the breach control of a record that contains
breach” incident, you have a date zz Is notification necessary to the personal information”. The term
with data whether you like it or not. OAIC and affected individuals? “holds” extends beyond physical
An eligible data breach is where there zz What information should be possession of a record meaning
are reasonable grounds to believe provided in the notification? that, if the storage of that record
that unauthorised access, disclosure zz How is the notification to be is outsourced to a third party, then
or loss of information will result in made? the entity will also be responsible
serious harm to any individuals to zz Consider all your obligations under in the event of a data breach by
whom the information relates. Here is the NDB Scheme. that third party.
our checklist of what to do when this 4. You should ensure that you know
happens: 4. Review the breach how any supplier proposes to
zz What lessons have been learned? manage a data breach. Have they
1. Contain the breach zz What actions can be taken to had data breaches in the past?
zz Consider the value of your data prevent future data breaches? Have they a record and reputation
– i.e. what sort of data are you zz How can your security, privacy for trustworthy services? Do you
dealing with? What is at stake? policies and handling procedures need to ensure your contracts will
zz If a breach occurs, move promptly. be improved? protect your company in the event
zz Consider potential and actual data zz Document the review of the data of a breach?
breaches to be serious. breach from start to finish. 5. In your Response Plan consider
zz Consider calling in cyber security template letters, website
experts. The Don’ts notifications, email notifications,
To make the marriage Response Plan an emergency hotline, a press
2. Assess the breach successful, here are our tips for what release and engaging external
zz Obtain and evaluate any and all not to do: consultants to review your process
information about the breach 1. Don’t ignore or delay a response and security safeguards.
zz Determine and understand the to any actual or suspected data 6. Don’t forget to regularly
risks posed by the breach. breach; de-identify your data. If you have
March 2018 • CREDIT MANAGEMENT IN AUSTRALIA 47
Cyber Security
a data breach incident and your see https://www.oaic.gov.au/privacy- obligations. Instead of paying alimony,
data is years old, you may be law/privacy-act/notifiable-data- respondents who breach the Act can
forced into advising far more breaches-scheme. be liable for fines ranging up to $2.1
affected parties than strictly There’s a popular reality TV show million. Those penalties will simply
necessary. Regular cleansing of where couples (who have never met be insignificant if you consider the
the database will ensure any data before) meet at the altar to express damage to reputation and trust when
breach is limited only to current undying commitment and loyalty for your customers find out their privacy
customers. life to each other, and then spend has been breached and you have
7. Don’t forget about cyber several weeks mostly experiencing failed to respond appropriately.
insurance, which can provide spousal remorse. This really is one relationship that
a further tool in your risk The Privacy Act is a bit like that you need to make work.
management kit. – we swear we are going to faithfully
follow its guidelines and promise *For more information check out our Insights
Don’t go on a blind date our customers they can trust us with page at https://www.ledlinlawyers.com.au/
our-insights/ or contact any of the team at
– your lawyer can help you their most personal information, Ledlin Lawyers on Ph: (02) 8488 3389 or
Your lawyer can offer “relationship and then we pay lip service to our email: info@ledlinlawyers.com.au
advice” when it comes to Privacy
matters, including:
1. Carry out a Privacy review and
audit to establish exactly what is
required for your organisation;
2. Advise on compliance with the
Privacy Act and notifications to
both individuals and the OAIC;
3. Consider and review any third-
party contracts or arrangements
to ensure that your company is not
unnecessarily exposed to any data
breach risk;
4. Negotiate contract amendments
with your suppliers and any other
contractors;
5. Assist with policies and procedures
for privacy and Data Breach
Response Plans;
6. Provide template notification
documents (i.e. letters, website
and email notifications, etc.) in
case an eligible data breach does
occur;
7. Prepare and deliver privacy
training guides for staff; and
8. Any other risk management issues
tailored to your organisation.
What’s Next?
You can expect to hear over the next
12 months plenty more about this new
regime. Certainly, the Regulator has
been active and will continue to be so.
The Regulator’s website has a large
amount of information designed to
assist business with its obligations,
48 CREDIT MANAGEMENT IN AUSTRALIA • March 2018
You can also read
