Technology Law Insights: What to do before and after a data breach

This article is part of a series from Hamilton Locke’s IP and Technology team called “Technology Law Insights”. Stay tuned for regular updates and commentary on topical issues across the sector.

In April 2021, 553 million Facebook users’ personal data was leaked online, including 7.3 million Australians. Less than a week later, 500 million LinkedIn users similarly had their personal data leaked. These widescale data leaks by two of the largest global social media platforms are a timely reminder of the importance of having strong data management processes in place, and of developing a strategy for responding to inadvertent disclosures of personal data.

A data breach occurs when personal information is accessed or disclosed without authorisation or is lost. In Australia, organisations (which can include individuals and foreign entities) covered by the Privacy Act 1988 (Privacy Act) must notify affected individuals as well as the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches (NDB) scheme when there is a data breach involving personal information which is likely to result in serious harm. This includes financial fraud, identity theft, family violence and physical harm or intimidation.

Strong data management is therefore integral to the operation of a business. Beyond being a breach of the Privacy Act, a data breach can damage an organisation’s reputation. Clients need to be able to trust that their privacy is protected by the entities they give their personal information to. However, even organisations with excellent information security may still fall victim to data breaches given the rapid evolution of security threats. 

1.    Preventative Steps 

Organisations have an ongoing obligation to take reasonable steps to handle personal information in accordance with the Australian Privacy Principles (APPs). This may be achieved through:

(a)    Improving staff awareness 

Approximately 15% of privacy breaches1 are the result of tricking employees to reveal the data, such as through phishing attacks.  Another 30-40%2 are the result of staff errors.  Training can help raise staff awareness and lower these risks.

(b)    Digital and physical protections

Another 40% of breaches are the result of malicious attacks.3 The risk of data breaches can be lowered by using appropriate protections.  For instance, restricting access on a need-to-know basis; multifactor authentication for remote access; logging unusual activity; implementing lockouts for failed login attempts; enforcing strong passwords; securing workstations and laptops; and properly destroying physical documents and electronic media after use. 

(c)    Preparing and maintaining policies

Proper policies should be set up and followed to encourage good data management.  For instance, policies regarding access to data; destruction of storage media; and procedures to follow if they are concerned about data security.  These policies will help ensure that consistent practices are followed within the organisation.

2.    Incident Response 

If there is a data breach, an organisation should respond to the data breach in four key steps:

(a)    Immediately contain the data breach

For example, shut down the system which was breached, recover the lost records, change computer access privileges and address weaknesses in both physical and electronic security. 

(b)    Assess the data breach within 30 days

Under the Privacy Act, organisations must investigate a suspected data breach within 30 days.  Gather the facts and evaluate the risks.  Is the breach likely to result in serious harm to an individual?  Consider the type of information which was involved, the circumstances of the breach and the nature of harm to individuals and how it may be remediated.  

(c)    As soon as practicable, notify individuals and the OAIC if required 

If the breach is likely to result in serious harm to an individual, an organisation must notify the OAIC and the affected individuals.  Even if it is not compulsory, you may decide to voluntary notify.

These first three steps should be taken simultaneously or in quick succession.

(d)    Review the incident and prepare actions to prevent future breaches. 

Take appropriate actions to address the breach.  For instance, conduct a review of your security practices, policies and procedures; conduct internal or external audits and penetration tests.  The results of these activities should be fed back into your preventative steps above.

For more information please contact Sarah Gilkes (Partner) or Ben Cameron (Senior Associate) in Hamilton Locke’s IP & Technology team.

1.  Notifiable Data Breaches Report: July-December 2020, Office of the Australian Information Commissioner
2.  Ibid
3.  Ibid