Cyber-attacks and other data breaches are, unfortunately, inevitable. But there are key steps every organisation should take to prepare for when the inevitable happens.
Responding to a significant cyber incident or other major data breach is often a time of crisis for any organisation. Anyone who has led or been part of the response team knows that these events are stressful for staff and require dedicated time and resources (both internal and external).
Regardless of your organisation’s size or regulatory obligations, with the cyber risk landscape becoming more complex, the Optus data breach should be a clear warning sign to all organisations to prepare now, and prepare well, for the inevitable.
Are you prepared?
Preparation for a data breach should be seen as part of an organisation’s overall risk management framework.
As to what “prepared” looks like will depend on the organisation: you will need an understanding of your cyber threats and controls, what and where your “crown jewels” are (including but not limited to your data), and your legal obligations with respect to information security and reporting in the event of a data breach or cyber security incident.
Preparation should be considered across all business functions (not just IT), processes, people and levels within the organisation right up to the Board. This is because data breaches are not just a result of malicious cyber attacks – people (and more often than not, human error) is consistently reported as one of the leading causes of notified data breaches in Australia.
Have a plan
The cornerstone of your preparedness is having a documented response plan. Whether called a data breach response plan or a security incident response plan, if there is one step your organisation takes now, it should be to make sure you have one.
Having an actionable and tested plan will put your organisation in a position where it can meet its reporting obligations within the required timeframes and mitigate the risk of statutory non-compliance or breach of contract. This may include statutory reporting obligations under the Notifiable Data Breaches (NDB) scheme contained in the Privacy Act 1988 (Cth) and, if applicable to your organisation, cyber security incident reporting obligations under the Security of Critical Infrastructure Act 2018 (Cth). Your organisation may also have various other statutory reporting obligations to regulators, in Australia and overseas, as well as contractual obligations to report to government and other third parties, such as funding bodies.
In addition to helping the organisation meet its reporting obligations and manage the legal and reputational risks associated with a major data breach, having an actionable and tested plan is key to providing clear direction, mobilising stakeholders and maintaining a sense of order in a time of crisis.
What to include in your data breach response plan
For a data breach response plan to be useful, it needs to be easy to understand, tailored to your organisation and it must be actionable. This means the plan should tell the reader:
- Who do I contact first if I know or suspect a cyber-attack or data breach affecting the organisation? What are the contact details for that person and a nominated alternative contact, including out-of-hours phone numbers?
- What are the roles and responsibilities for internal teams responding to the data breach (for example, which person/team is responsible for the initial investigation? When should the privacy team be engaged?)
- What are our reporting obligations, including timeframes? Who within the organisation makes the decision as to when and how we engage with law enforcement, our insurers and when and how we notify regulators, affected individuals and others?
- When and how do we engage external legal and other advisers (such as for forensic technology and cyber security, communications or public relations services)? What are the contact names, emails and out-of-hours contact details for the external stakeholders? How do we maintain legal professional privilege if we are engaging a third party to provide an investigation report?
- How do we deal with any requests for information (whether from staff, customers or the media)? Do we have any templated communications (proactive and reactive) ready that we can update for the incident?
- How will we deal with privacy complaints? Can our customer service team/call centre deal with an increased volume in calls, or do we have a process to stand-up additional support?
- What is the plan for where remediation requires support for affected individuals?
The Office of the Australian Information Commissioner (OAIC) provides a number of useful resources for organisations. The Data Breach Preparation and Response Guide contains a comprehensive description of what your data breach response plan should cover and a checklist. This is a useful starting point and should be tailored for your particular organisation and, at a minimum, answer the above questions.
Don’t set and forget
We know from the recent Federal Court decision in RI Advice and consistent comments from Australian regulators, that while it is not possible to eliminate all risk of cyber attach or data breach, organisations must have appropriate processes, controls, documentation and training in place.
This includes having a robust, tailored and actionable data breach response plan. But having a plan, as we know, is not enough: it is critical to ensure that once the plan is set, the organisation must communicate, test and train on the plan. Ideally, this would include tabletop exercises on the plan with key stakeholders. Training and awareness-building should also occur on a regular and on-going basis as part of your organisation’s cyber security strategy and privacy management framework.
Cyber-attacks and data breaches are inevitable. But the organisations that survive and come out the other side are those that are prepared. Having a data breach response plan is a critical tool to being able to comply with reporting obligations and to respond in a way that effectively reduces the impact of the data breach for affected individuals and mitigate the damage to the organisation’s reputation. This really is a case of preparation preventing poor performance.
For more information, please contact Sophie Bradshaw, Sarah Gilkes, Alex Ninis and Simon Carrodus.