Cheat sheet: How to respond to a data breach

With so much of our working and personal lives tied up in technology, data breaches and their impact on privacy have become common. 

Businesses need to be aware of their obligations when storing customer details and what to do in the increasingly likely event they suffer a data breach. Cyber criminals can perceive small businesses as easier targets, or stepping stones to their supply chain partners, with 78% of small businesses in danger.

By recognising the need to protect data and privacy, the Privacy Act 1988 regulates how entities must deal with personal information and what to do in the case of an eligible data breach.

Does my business have to comply with the act?

A person or entity has to meet the Privacy Act 1988’s privacy obligations if they:

• Have an annual turnover of more than $3 million (or have had an annual turnover of more than $3 million in the past); 
• Provide a health service and hold health information except in an employee record; 
• Disclose personal information about another person for a benefit, service or advantage; 
• Are a contracted service provider for a Commonwealth contract (whether or not a party to the contract); or
• Are a credit reporting body. 

If you are any of the above, you need to comply with the Australian Privacy Principles. For a quick guide to the 13 principles, and how they can apply to your business, read this.

What constitutes a data breach? Three elements

1. Unauthorised access to, disclosure of, or loss of, personal information held by you.

2. The access, disclosure or loss is likely to result in serious harm to one or more individuals.

3. You are not able to prevent the likely risk of serious harm with remedial action.

If a data breach features all of the above elements, it needs to be referred to the Office of the Australian Information Commissioner (OAIC). The OAIC may investigate the breach and the business or entity could face serious financial penalties or directions to rectify the issue.

The OAIC’s June-December 2020 Notifiable Data Breaches Report confirmed that about 40% of all reported data breaches in Australia are due to human error, such as sending an email to the wrong person or leaving confidential documents open on shared computers.  

The rest were almost all related to malicious or criminal attacks, the most common being:

Phishing

Most people have received an email claiming their account is compromised and needs emergency action, or that their online purchase requires them to verify their payment details. These are phishing attacks, designed to get you to provide passwords or other confidential details (e.g. your account number) to third parties. 

Use of compromised or stolen credentials

In early 2019 a collection of usernames and passwords dubbed Collection #1 through to Collection #5 circulated on the dark web. Combined, these collections contained over 25 billion email/password pairs. This was not the first collection of email/password pairs to be released, nor will it be the last. Individuals are unable to protect themselves if they are not aware that their information has been breached.

Social engineering

Social engineering does not always require technical expertise. Instead, it involves using different communication methods and coercion to acquire information from users. Phishing falls under the broad umbrella term ‘social engineering’, and includes phone calls pretending to be from a bank or pop-up ads saying your computer is infected with a virus.

Ransomware

The popularity of ransomware has increased exponentially over the last few years, rising by 150% in the first six months of 2020. Ransomware is often transmitted through an attachment or link in a spam email; when clicked, it encrypts the device and requests payment to unlock it. Certain strains of ransomware may also take the victim’s data.

What should I do?

1. Let your lawyer know you’ve suffered a breach, because if your business comes under the Privacy Act 1988, there are obligations that need to be complied with. You may also need a tech expert to help work out what went wrong. 

2. You want to minimise any disruption to your business and act quickly to contain the data breach.

   You have an obligation to take reasonable steps to prevent the misuse, interference, loss and unauthorised access, modification or disclosure, of personal information. 

   Therefore, your priority should be to re-secure your data and take steps to have the leaked data destroyed or permanently deleted.

   While you are taking these steps, you should notify the OAIC of the steps you are taking to contain the data breach.

3. Once the data breach has been contained and/or resolved, it is important that you conduct a review of the breach.

4. Everything needs to be documented and, if required, reported to the OAIC. The OAIC will then assess the breach and decide whether to issue a fine and, if so, how much it will be.

How to review the data breach

Your review must be done within 60 days of the data breach and should identify:

• How the data breach occurred;
• Why the data breach occurred;
• What was done to rectify the data breach;
• What could have been done to prevent the data breach; and
• What measures can be put in place to minimise the risk of the same type of data breach occuring again. 

This can include implementing stronger cybersecurity measures in your business; educating your staff on how to identify potential harmful emails, apps and malware; and establishing (or revising) a data breach response plan.

While the unfortunate reality is that you will likely suffer a data breach of some type during the life of your business, you can take steps to minimise the effect it can have on your business and whether the data breach has to be reported to the OAIC. 

The best way to do this is to establish and implement a data breach response plan and ensure it is followed.

Flowchart for responding to data breaches

OAIC guidelines for respending to a data breach. Source: Screengrab taken from OAIC website