Data breaches are a common occurrence in the tech world. In the past, if you wanted to steal information, you would have had to buy a crowbar, break a window and jimmy open a filing cabinet. These days, however, stealing data is as easy as guessing a password. Whether your breach is due to a phishing scam, a patchy security system, or Janet in accounting, most modern companies have to deal with the issue of digital security.
In recognition of this fact, the Australian government recently amended the Privacy Act to include the Notifiable Data Breaches Scheme, a comprehensive guide on how to deal with a data breach. Of course, in law-land, “comprehensive” is often a synonym for “mind-numbing”, so we’ve put together a short guide on how you should deal with data breaches that won’t put you to sleep.
What is a data breach?
A data breach is anything that results in somebody having unauthorised access to information, and which is likely to result in serious harm. It’s pretty context-specific. For example, if your toddler steals your phone, guesses your work password and sends a selfie to your boss, that’s probably not a serious data breach. However, if a 30-year-old Russian hacker does the same thing to your entire work contact list, it might result in serious harm.
If you suffer a data breach, there’s one thing you need to remember: CATS. It’s an initialism we came up with to simplify the data breach process. (It also doubles as a reminder to look at cats on the internet, which is a great way to relieve stress after a data breach).
- Control – If you think a breach has happened, your first job is to control the situation. Stop the breach to the extent that you can, lockdown, and identify what information might have been breached.
- Assess – Assess the situation. Ask whether serious harm is likely. If it is, you need to conduct an assessment of the incident and decide whether you can do anything to fix the harm arising from the breach.
- Talk – If your assessment reveals that serious harm is likely, you need to make a submission to the Australian Information Commissioner. A standard form is available here. You also need to notify anybody who might be harmed by the breach, either by contacting them directly or posting a message on your website. We also recommend apologising – it’s good manners.
- Summarise – In the wake of a data breach, you need to summarise the incident and make a plan to stop breaches from taking place in the future. Consider making staff training mandatory, auditing your platform, or hiring an internet security company to manage your systems. In short, do whatever will stop that ageing Russian hacker from sending more poorly-lit selfies to your managing partner.
You should also look at cats on the internet. Seriously, it’ll calm you right down.
If you’d like to discuss your Data Security call Rouse Lawyers’ technology team on 07 3667 9696.