The Office of Australian Information Commissioner has developed a draft Guide to Developing a Data Breach Response Plan. The Commissioner notes that the cost to an organisation for a data breach can be significant and implementing a data breach response plan can assist in mitigating these costs.
The data breach response plan should cover things like:
- a strategy for assessing and containing data breaches – this includes the actions the response team should take in the event of a breach or suspected breach,
- a clear explanation of what constitutes a data breach, so that staff are able to identify one should a breach occur,
- the reporting line if staff do suspect a data breach, including who needs to be informed immediately,
- who is responsible for determining which other external stakeholders should be contacted (for example, law enforcement agencies, regulators and the media),
- recording data breaches – the organisation should consider how to record data breaches, including those that are not referred to the response team, and
- a strategy to identify and address any weaknesses in data handling that contributed to the breach.
While the Guide is not legally binding, the Commissioner has indicated that the preparation and implementation of a data breach response plan will likely to satisfy an organisation’s obligation under the Australian Privacy Act to take reasonable steps to protect the personal information that the entity hold from misuse, interference and loss, and from unauthorised access, modification or disclosure.
The closing date for comments is Friday 27 November 2015.
Link (OAIC): Guide to Developing a Data Breach Response Plan
The new Trans-Pacific Partnership was signed last week, and includes a chapter on electronic commerce. The full details of the agreement are not yet available, but New Zealand’s Ministry of Foreign Affairs and Trade (MFAT) has released a summary.
The chapter on electronic commerce promises to be of particular interest to privacy and data protection practitioners. In its summary of chapter 14, MFAT states:
“TPP Parties commit to ensuring free flow of the global information and data that drives the Internet and the digital economy, subject to legitimate public policy objectives such as personal information protection. The 12 Parties also agree not to require that TPP companies build data centres to store data as a condition for operating in a TPP market, and, in addition, that source code of software is not required to be transferred or accessed.”
Link: TPP Ministerial Summary (MFAT)
In Australia, Kmart has engaged IT forensic investigators after personal details of its online customers were hacked. Kmart says no customer credit card details have been compromised. However, customers’ names, email addresses, home addresses, telephone numbers, and product purchase details were accessed in an “external privacy breach” early last month. Kmart has also contacted the Australian Privacy Commissioner and Federal Policy to help with the investigation.
In the US, Experian, one of the largest data brokers and credit agencies in the world, has also been hacked. Information from the hack includes names, addresses, and social security, driver’s license and passport numbers. The licence and passport numbers were in an encrypted field, but Experian says that encryption may also have been compromised.
Link: Kmart (Sydney Morning Herald) and Experian (The Guardian)
In June 2013, Ben Grubb, a Fairfax reporter, requested access to “all metadata information” stored by Telstra relating to his mobile phone services.
Telstra refused the request on the basis that Mr Grubb’s identity could not be ascertained through the metadata and that it was therefore not personal information as defined under the Australian Privacy Act. The Privacy Commission disagreed, saying that although the metadata didn’t directly identify Mr Grubb, Mr Grubb’s identity was reasonably ascertainable by cross-matching the metadata against Telstra’s various network and records management systems.
The Commissioner noted that Telstra had a pool of over 120 staff who engaged this kind of data retrieval and that it used cross-matching for internal purposes and when responding to law enforcement agency requests.
Telstra has appealed the decision to the Administrative Appeals Tribunal.
Link: Ben Grubb and Telstra Corporation Ltd
The Office of the Australian Information Commissioner has released a new Privacy Management Framework and a check list to help organisations comply with the Australian Privacy Principles. The guidance outlines four ‘e’ steps to ensure good privacy governance:
- embed leadership and governance arrangements to create a culture of privacy that values personal information
- establish robust and effective privacy processes (e.g. training staff on their privacy obligations and developing a data breach response plan)
- evaluate the adequacy and currency of the business’s existing privacy practices (e.g. by creating feedback channels for staff and customers), and
- enhance (e.g. by commissioning an independent review to identify areas for improvement).
Among the tips on the check list are:
- always consider doing a privacy impact assessment when developing a project that involves new or changed personal information handling practices
- collect only the information you need
- make that information accessible internally on a needs-to-know basis, and
- have a data breach response plan ready to go.
The new tools followed the release by the Australian Information Commissioner of a survey into the adequacy of the on-line privacy policies of 20 Australian and international organisations within the finance, retail, government and media sectors.
Links: Privacy management framework and Ten tips to protect your customers’ personal information
Singtel Optus has agreed with the Australian Privacy Commissioner on an independent audit of its internal privacy practices after a flaw was detected in its security system, and it accidentally posted private information about 122,000 customers on an online directory without consent.
Link: Enforceable undertaking by Singtel Optus
The Australian Securities and Investments Commission (ASIC) has released a report to assist the Australian financial sector to improve cyber resilience. Suggested ‘health check prompts’ to cyber-risk management include:
- whether the board and senior management are aware of the entity’s cyber risks
- whether key third-party providers or clients are cyber resilient, and
- whether employees and contractors are properly trained to deal with cyber risk.
Link: Asic Report