A preppers guide to the privacy apocalypse
Updated: May 15, 2018
With the changes to the Australian Privacy Act ( Privacy Amendment (Notifiable Data Breaches) Act 2017 ), comes a number of obligations on organisations under the jurisdiction of the Privacy Act.
Taking effect from Feb 22nd 2018, this legislation requires the notification of individuals whose personal information has been involved in a data breach that is likely to result in serious harm.
In review of the online form for reporting a data breach a few interesting items were apparent.
The form included items such as these, and (as examples) mentioned email address and phone number (under contact information):
Tax File Number
Other sensitive information
With the ongoing hit parade of data breaches and clearing house of compromised credentials many organisations have started to get an uneasy feeling about whether they are well prepared for a data breach.
So what can an organisation do to prepare?... below are a few things to consider in preparation for a data breach.
Prepare (and practice) a security incident response plan which includes consideration for a data breach and clarifies the conditions for an 'eligible data breach' (Access, Loss or Disclosure) + (Likely risk serious harm) + (Unable to remediate / prevent the risk of serious harm). Agreeing with management stakeholders on investigation priorities and objectives in advance of a breach is another important consideration, (e.g. Restore Services, Collect Evidence, Confirm Protection)
Consider how to handle complaints or public assertions. If a customer or member of the public contacts you to report a breach directly, how will this be triaged and investigated to reduce noise and cost. In addition to this, conducting an investigation which provides a response such as 'we conducted an investigation and can find no evidence of a data breach' may not be sufficient to protect an organisation or its reputation. This may require having evidence to prove that systems and networks stayed secure.
Establish a notification process which effectively addresses the risk through notifying some or all of the individuals (depending on the likely risk of serious harm) or the Public with effective broader communications.
Establish system and network visibility (such as logging and monitoring) to provide an independent information source. An example of this could include the capture of network traffic in both directions. This supports questions such as 'can we find any evidence of a large transfer of data'.
Periodically test your systems and networks for security vulnerabilities. Many data breaches occur through the compromise of network or system security, and often involve well-known and long-lived security vulnerabilities. Without this, the actions involved in containing a detected issue or determining the extent of a breach will be significantly harder, more time consuming and costly.
In addition to the items above, the Office of the Australian Information Commissioner has published a useful guide for organisations in preparing for the changes.
Contact us for assistance in preparing for or managing your response to data breaches.
Author: Clinton Smith