This article is the second article in our series on data breaches and cyber security. Please click here to read our first article “Cyber Security: prevention is the best cure”.
So, you have just learned that your company experienced a cyber incident and a likely data breach. Whether hackers stole personal information from your corporate server, a disgruntled employee stole customer information, or personal information was accidentally published on your company’s website, you are probably thinking “what do we do now?”
Effectively responding to a cyber incident and data breach involves four key actions: (1) Contain; (2) Assess; (3) Notify and (4) Review. The overriding principle is harm minimisation – minimising the potential harm to affected individuals and to your company – both financially and reputationally.
Step 1 – Contain: firstly, it is crucial to take steps to confirm that a data breach has occurred. Once confirmed, you must take immediate action to secure your systems and fix vulnerabilities to contain the breach and prevent any further compromise of personal information.
The steps to be taken to contain the breach will depend on the nature of the breach. However, some common actions include:
- stopping the unauthorised practice;
- recovering the data;
- in the case of malware or hacking, shutting down the system that was breached;
- deleting wrongly published information; and
- changing computer access codes or correcting weaknesses in physical or electronic security.
Step 2 – Assess: once your company has, where possible, contained a data breach, you must assess the risk of harm that affected individuals could suffer because of the breach. This will require an investigation into the cause of the breach and the surrounding circumstances.
It is important that you have the right team in place to accurately assess the risk. To this end, involving Hamilton Locke in this process at the very outset is important as we have a specialised privacy and data security team who can lead the risk assessment and help minimise any financial loss and reputational damage. We have strategic arrangements with a variety of forensic, cyber security and insurance companies for urgent incident response situations who can work alongside your in-house team.
Once instructing us, we assemble the investigators and notify your insurers of the cyber incident on your behalf. As communications between you and Hamilton Locke’s lawyers are protected by legal professional privilege, all communications will be confidential if your organisation faces legal consequences arising from the data breach.
As part of the assessment process, you must consider the severity of any harm that could arise for affected individuals and the likelihood of such harm eventuating. The greater the severity and the greater the likelihood, then the higher the risk.
Some factors to take into consideration when assessing risk are:
- The nature, sensitivity and volume of personal information involved in the data breach: generally speaking, the more sensitive the personal information and the greater the amount of personal information involved (in terms of both the number of individuals affected and the amount of information pertaining to each individual), the higher the risk of harm.
- The circumstances of the data breach, including its cause and extent: for example, where a breach has occurred maliciously, the risk of harm is generally higher than where the cause was accidental.
Also, consider whether the information is protected by one or more security measures (e.g. password protected or encrypted) and the likelihood that those measures could be overcome.
- Whether remedial action can be taken to remove the risk of harm: where your organisation is able to prevent the likely risk of harm, the lower the risk of harm to affected individuals.
- The nature of the potential harm to affected individuals: you must consider the different types of harm (for example, financial loss, identity theft or fraud, reputational damage, threats to physical safety etc.) that could arise.
Step 3 – Notify: whether your company chooses to notify affected individuals of a data breach will largely be determined by the outcome of the assessment carried out in step 2.
When deciding whether to notify affected individuals about a data breach, you must consider:
- The foreseeable risk of harm to affect individuals: you should notify individuals where there is a foreseeable risk of harm. If you are unsure about whether there is a foreseeable risk of harm, it is better to be safe than sorry, so it is best to exercise caution and notify the affected individuals. Notification may not be necessary where the organisation has determined that there is no risk of harm, or the risk of harm is too remote to be of real concern.
- Contractual and other legal obligations: you must also consider whether your organisation is obliged to notify affected individuals or other bodies under legislation or under contract. In particular, the Notifiable Data Breach scheme (NDB Scheme).
Under the NBD Scheme, organisations covered by the Privacy Act 1988 (Cth) must, within 30 days of discovering a data breach, assess the breach to determine whether there has been an eligible data breach. If during the assessment period, the organisation determines that there has been an eligible data breach, the organisation must notify the Office of the Australian Information Commissioner (OAIC) as well as the affected individuals.
Step 4: Review: When your company has handled the privacy impacts of the breach, it should then conduct a review of the data breach and identify appropriate measures to implement that will prevent, or reduce the chances of, similar incidents occurring in the future.
A review may include:
- regular audits of IT and physical security;
- review of your organisation’s cyber security, privacy and data breach policies and procedures;
- staff training and refreshers; and
- review of third-party service providers.
Hamilton Locke has legal practitioners experienced in advising on privacy obligations and managing data breaches and cyber-attacks. If you require assistance, please contact Alex Ninis (Partner) or Sarah Gilkes (Partner).
Written by Serpil Bilgic.