epar Data Breach Response Plan
19 February 2018
Epar’s data breach response plan (response plan) sets out procedures and clear lines of authority for epar staff in the event that epar experiences a data breach (or suspects that a data breach has occurred).
A data breach occurs when personal information is lost or subjected to unauthorised access, modification, use or disclosure or other misuse. Data breaches can be caused or exacerbated by a variety of factors, affect different types of personal information, and give rise to a range of actual or potential harms to individuals and organisations.
This response plan is intended to enable epar to contain, assess and respond to data breaches in a timely fashion and to help mitigate potential harm to affected individuals. It sets out contact details for the appropriate staff in the event of a data breach, clarifies the roles and responsibilities of staff, and documents processes to assist epar to respond to a data breach.
Epar experiences or suspects data breach
Discovered by epar staff member, or epar otherwise alerted
What should the epar staff member do?
- Immediately notify epar’s Managing Director of the suspected data breach.
- Record and advise the time and date the suspected breach was discovered, the type of personal information involved, the cause and extent of the breach, and the context of the affected information and the breach.
What should the Managing Director do?
- Liaise with epar’s Lead Software Engineer and Digital Product Manager to determine whether a data breach has or may have occurred.
- Determine whether the data breach is serious enough to escalate to the Data Breach Response Team (some breaches may be able to be dealt with at the Manager level).
- If so, immediately escalate to the Data Breach Response Team.
- Alert epar data breach response team coordinator for action – Andrew Carters – Digital Product Manager (firstname.lastname@example.org)
When should a data breach escalate to the epar Data Breach Response Team?
Directors to use discretion in deciding whether to escalate to the response team
Some data breaches may be comparatively minor, and able to be dealt with easily without action from the epar Data Breach Response Team.
For example, an epar officer may, as a result of human error, send an email containing personal information to the wrong recipient. Depending on the sensitivity of the contents of the email, if the email can be recalled, or if the officer can contact the recipient and the recipient agrees to delete the email, it may be that there is no utility in escalating the issue to the response team.
Discretion should be exercised in determining whether a data breach or suspected data breach requires escalation to the response team. In making that determination, the following is to be considered:
- Are multiple individuals affected by the breach or suspected breach?
- Is there (or may there be) a real risk of serious harm to the affected individual(s)?
- Does the breach or suspected breach indicate a systemic problem in epar processes or procedures?
- Could there be media or stakeholder attention as a result of the breach or suspected breach?
If the answer to any of these questions is ‘yes’, then it may be appropriate for the response team involvement.
Managing Director to inform the response team Coordinator of minor breaches
If the Managing Director decides not to escalate a minor data breach or suspected data breach to the response team for further action, the Managing Director should:
- send a brief email to the epar Digital Product Manager that contains the following information:
- description of the breach or suspected breach
- action taken to address the breach or suspected breach
- the outcome of that action
There is no single method of responding to a data breach. Data breaches must be dealt with on a case-by-case basis, by undertaking an assessment of the risks involved, and using that risk assessment to decide the appropriate course of action.
There are four key steps to consider when responding to a breach or suspected breach and they are detailed in the checklist.
- Contain the breach and do a preliminary assessment
- Evaluate the risks associated with the breach
- Consider Notification
- Prevent future breaches
The epar response team should ideally undertake steps 1, 2 and 3 either simultaneously or in quick succession.
Depending on the breach, not all steps may be necessary, or some steps may be combined. In some cases, it may be appropriate to take additional steps that are specific to the nature of the breach.
STEP 1 – Contain the breach and make a preliminary assessment
- Convene a meeting of the epar data breach response team.
- Immediately contain breach:
- IT to implement the Incident Response Plan if necessary.
- Inform the Managing Director and Digital Products Manager and provide ongoing updates on key developments.
- Ensure evidence is preserved that may be valuable in determining the cause of the breach or allowing epar to take appropriate corrective action.
- Consider developing a communications or media strategy to manage public expectations and media interest.
STEP 2 – Evaluate the risks for individuals and organisations associated with the breach
- Conduct initial investigation, and collect information about the breach promptly, including:
- the date, time, duration, and location of the breach
- the type of personal information involved in the breach
- how the breach was discovered and by whom
- the cause and extent of the breach
- a list of the affected individuals, or possible affected individuals
- the risk of serious harm to the affected individuals
- the risk of other harms.
- Determine whether the context of the information is important.
- Establish the cause and extent of the breach.
- Assess priorities and risks based on what is known.
- Keep appropriate records of the suspected breach and actions of the response team, including the steps taken to rectify the situation and the decisions made.
STEP 3 – Consider breach notification
- Determine who needs to be made aware of the breach
- (internally, and potentially externally) at this preliminary stage.
- Determine whether to notify affected individuals – is there a real risk of serious harm to the affected individuals? In some cases, it may be appropriate to notify the affected individuals immediately; e.g., where there is a high level of risk of serious harm to affected individuals.
- Consider whether others should be notified, including police/law enforcement, or other agencies or organisations affected by the breach, or where epar is contractually required or required under the terms of an agreement or similar obligation to notify specific parties.
STEP 4 – Review the incident and take steps to prevent future breaches
- Fully investigate the cause of the breach.
- Report to epar Managing Director on outcomes and recommendations:
- Update security and response plan if necessary.
- Make appropriate changes to policies and procedures if necessary.
- Revise staff training practices if necessary.
- Consider the option of an audit to ensure necessary outcomes are effected.