Following on from my last post that covered the 5 things you need to know about the Notifiable Data Breach (NDB) scheme, this post is focused on the 5 things you really must do, in order to be prepared for the Notifiable Data Breach scheme. As you will remember the NDB impacts a significant number of organisations and requires specific actions to be followed in the event of a breach. So here is a top 5:
- Find out whether you need to comply with the provisions of the NDB.
- Determine what sensitive personal information you hold, and make a determination of what the following terms mean to you and your organisation:
a. likely to ‘occur’
b. ‘serious harm’.
- Prepare a step by step process of what you need to do in the event of a breach.
- Educate your stakeholders.
- Run a practice drill.
1. Find out whether you need to comply with the provision of the NDB Scheme
This task should be the simplest of the 5 things you need to do. A good starting point is provided in my previous blog post, but if you are in any doubt, please refer to the Office of the Australian Information Commissioners website.
If you are covered by the scheme and need to comply, and haven’t already started on your NDB compliance journey, I’d suggest you need to initiate some internal conversations. If necessary engage some external expertise.
Even if you don’t need to comply, the investment you make in preparing a breach process will not be wasted.
2. Determine what sensitive personal information you hold
This task may actually sound a little easier than it is for a large number of organisations. Unfortunately, many organisations have a very poor understanding of their information assets, what is important to them, and what information they need in order to run their business. If sensitive information is not understood, you may be capturing, storing or processing more sensitive information than you need to.
You should also consider, where that sensitive information is stored. Long gone are the days when you could safely say that all my data is on my big file server in my data centre under lock and key. When you really look into where sensitive personal data is stored, you are likely to find that it is located on multiple servers and applications, SAN devices, laptops, iphones, USB sticks, on your backups media, on SharePoint, OneNote, DropBox, and in a myriad of other cloud and/or shadow IT environments.
The next consideration needs to be who has access to the sensitive personal information you possess. Questions to consider include: Do you outsource functions, systems or operational tasks. Are you storing data entirely within Australia, or are you working offshore and around the Globe. Do your partners know that you have an NDB obligation. What is the state of your information supply chain, and where are you exposed. In fact, the legislation does recognise that organisations can jointly hold personal information, and has made provisions to avoid duplicate obligations.
Only once you have a full appreciation of what information you hold custodial responsibility over, where it is, and who else has access to it, can you make a determination and a judgement on what is ‘likely to result in serious harm’.
As with most approaches to information security and privacy matters, a solid understanding of risk management in terms of likelihood and consequence should be leveraged to inform the conversation around the serious harm question. The implementation of the NDB scheme effectively raises the bar on expectations from a risk management perspective.
3. Prepare step by step process of what you need to do in the event of a breach
After you have undertaken an information asset inventory and understood what sensitive personal information you have, where it is and who has access to it, you need to prepare for a breach by developing a breach response framework. The framework should include:
- A process that provides:
- Identification, investigation, validation and containment rules
- Clear authority to initiate an investigation and declare a breach
- High-level resolution guidelines and plans
- Permitted timeframes for each phase of the breach
- Communications protocols internally including a clear RACI model
- Key contacts both within your organisation and with specialist external parties to assist with investigation and resolution where required
- Plugs in to your work health and safety policy to help manage fatigue
- Identification, investigation, validation and containment rules
- Notification protocol for individuals affected. There are proforma’s available and these can be leveraged rather than invented. The information provided that relates to the breach should include:
- the date, or date range, of the unauthorised access or disclosure
- the date the data breach was detected
- the circumstances and or known causes of the data breach
- who has obtained or is likely to have obtained access to the information
- the steps undertaken to contain or remediate the breach
- Options for notifying individuals include:
- Notify all individuals impacted
- Notify only individuals who are at likely risk of serious harm
- Publish your notification, and publicise it to bring it to the attention of individuals at likely risk of serious harm
- Notification protocol for the OAIC. Again, proforma’s exist that can be used. Items required to be provided in the notification to the OAIC include:
- Contact details for your organisation
- A description of the data breach
- The kind of information involved in data breach
- The steps you recommend for impacted individuals in response to the breach
4. Educate your stakeholders
Without appropriate education and guidance, responsibility for everything during a breach may fall on you – the reader of this blog! Each stakeholder must know their roles and responsibilities and must be able to operate autonomously and as part of a team when it comes to managing a breach. An internal education activity is definitely something that you should undertake as a priority after your preparation activities. But don’t forget step 5. Knowledge helps, but nothing makes that knowledge stick like having stepped through the protocol at least once.
5. Running a practice drill
As the old saying goes, practice makes perfect. Running a breach practice drill doesn’t have to be onerous or take massive amounts of time to prepare. Although the more you plan and the more often you can practice, the better off you will be. As a first step, prepare some meaningful scenarios, book a meeting with relevant stakeholders, establish some ground rules and run through your established breach process for each of the practice scenarios. Appoint a note taker who will observe and record variations to the process flow. Initially, stick to the process that you have designed, but annotate any issues. Then roll those lessons learned into a second iteration of your NDB process.
Then keep practicing. Perhaps utilise your regular business continuity and disaster recovery drills as a vehicle to test your NDB processes.