Data Breach Response Plan
Background
This Data Breach response plan (Response Plan) sets out the steps and procedure that Nutshell Media Pty Ltd ACN 641 571 146 (Nutshell Media) will follow in the event of a Data Breach that exposes Personal Information to unauthorised access or disclosure. The Response Plan includes the contact details of key staff and their responsibilities together with detailed identification, assessment and prevention plan.
1 What is Data Breach?
1.1 Data Breach occurs when unauthorised access to, or unauthorised disclosure of, Personal Information or a loss of Personal Information. Examples of a Data Breach are when a device containing Personal Information is lost or stolen, an entity’s database containing Personal Information is hacked or an entity mistakenly provides Personal Information to the wrong person.
1.2 Personal Information means information or an opinion about an individual who is identified, or who can reasonably be identified, from the information, whether or not the information or opinion is true or recorded in a material form, and includes Sensitive Information.
1.3 Sensitive Information means information or an opinion that is also Personal Information, about a person’s racial or ethnic origin, political opinions, memberships of political, professional and trade associations and unions, religious and philosophical beliefs, sexual orientation or practices, criminal history, health information, and genetic and biometric information.
1.4 Data Breach may be caused by internal or external entities and may result from a failure of data security or data handling systems, through human errors or by a hacking attack. Nutshell Media’s responsibilities and obligations vary depending on the causes and the extent of the Data Breach.
2 Data Breach Response Plan
2.1 Once a Data Breach is discovered, the response team will follow the process outlined below. This process may be updated to reflect best practices in IT security or change in legal requirements.
2.2 There are four key steps to consider when responding to a Data Breach or suspected Data Breach.
(a) Contain the Data Breach and do a preliminary assessment;
(b) Evaluate the risks associated with the Data Breach;
(c) Notification to OAIC and affected individuals; and
(d) Prevent future breaches.
3 Contain
3.1 Once a Data Breach or a suspected Data Breach has occurred, the Privacy Officer must be notified. The Privacy Officer is then responsible to carry out the actions in the rest of this Data Breach Response Plan, or otherwise delegate any part of it to any member of the response team.
3.2 Identify/Confirm Data Breach
(a) interview the person who reported the Data Breach and anyone else who may know about the Data Breach;
(b) identify the root cause of the Data Breach;
(c) ascertain if the Data Breach is caused by an internal or external entity;
(d) if relevant, gather information about the hacker such as the user account and IP address of the hacker;
(e) analyse data sources to determine what data was compromised as a result of the Data Breach;
(f) determine if any countermeasures put in place, such as a firewall, were enabled during the Data Breach;
(g) check if the data backup system functioned properly and safely secure the backup tapes;
(h) document when and how the Data Breach was contained, the user names that were used to gain access to data, IP address information of the hacker, timestamps of when unauthorised access to the system was gained, data accessed and, or modified;
(i) document the data that was compromised or modified, the modifications that were made to the data and any other information that may help identify the hacker;
(j) maintain logs and keep copies of all information and evidence collected, ensure all evidence and logs is preserved in safe custody; and
(k) consider a communications or media strategy to manage public expectations and media interest.
3.3 Measures to stop additional data loss/theft
Measures may include any of the following:
(a) in the case of inadvertent disclosure of Personal Information to the wrong person, contact the recipient and ask them to delete the relevant information;
(b) take affected machines offline;
(c) remove hacker tools;
(d) restrict access based on IP address;
(e) change log-in information of accounts used to gain unauthorised access;
(f) disable user accounts where required;
(g) install updates or patches where the Data Breach was caused due to software vulnerability; and
(h) evaluate IT security to identify any vulnerabilities and update data protection plans and data access controls where required.
3.4 Extent of Data Breach/Evaluate risk of further data loss
(a) once affected user accounts and systems have been identified, run scans on other systems and user accounts to check their data integrity; and
(b) if further data theft/loss is anticipated, deploy measures listed under section 3.3 for all other systems and user accounts to stop additional data theft/loss.
4 Assess Risks Associated with the Data Breach
4.1 Conduct initial investigation, and collect information about the Data Breach promptly, including:
(a) the date, time, duration, and location of the Data Breach;
(b) the type of personal information involved in the Data Breach;
(c) how the Data Breach was discovered and by whom;
(d) the cause and extent of the Data Breach;
(e) a list of the affected individuals, or possible affected individuals;
(f) the risk of serious harm to the affected individuals; and
(g) the risk of other harms.
4.2 Determine whether the context of the information is important.
4.3 Establish the cause and extent of the Data Breach.
4.4 Assess priorities and risks based on what is known.
4.5 Keep appropriate records of the Data Breach and actions of the response team, including the steps taken to rectify the situation and the decisions made.
5 Consider Breach Notification
5.1 Revisit state and federal regulations to identify all entities that need notification and legal principles that apply to the notifiable data breach framework. The below framework is applicable as at the date this policy was drafted.
5.2 Not all Data Breaches are notifiable. The response team must conduct a reasonable and expeditious assessment must be undertaken to determine if the Data Breach is likely to result in serious harm to any individual affected. If the response team determines that the Data Breach can be easily or quickly contained without serious harm to any individual, the Data Breach is not a notifiable Data Breach.
5.3 Assessment of the risk of serious harm will be considered by:
(a) the likelihood of the harm occurring and;
(b) the consequences of the harm.
5.4 Some of the factors that should be considered are:
| Factors | Considerations |
| The type of personal information involved in the Data Breach | Some kinds of personal information are more sensitive than others and could lead to serious ramifications for individuals if accessed. Information about a person’s health, documents commonly used for identity fraud (e.g. personal address, mobile number) or financial information are examples of information that could be misused if the information falls into the wrong hands. |
| Circumstances of the Data Breach | The scale and size of the Data Breach may be relevant in determining the likelihood of serious harm. The disclosure of information relating to a large number of individuals would normally lead to an overall increased risk of at least some of those people experiencing harm. The length of time that the information has been accessible is also relevant.
Consideration must be given to who may have gained unauthorised access to information, and what their intention was (if any) in obtaining such access. It may be that there was a specific intention to use the information in a negative or malicious way. |
| Nature of possible harm | Consider the broad range of potential harm that could follow from a Data Breach including:
1.    identity theft; 2.    financial loss; 3.    threat to a person’s safety; 4.    loss of business or employment opportunities, and 5.    damage to reputation (personal and professional). |
5.5 A Data Breach which is assessed as likely to result in serious harm to individuals whose Personal Information is involved, is a notifiable Data Breach. Such Data Breaches must be notified to the affected individuals and the Office of the Australian Information Commissioner. The notice must include information about the Data Breach and the steps taken in response to the Data Breach.
5.6 When notifying customers, inform the customers through a phone call and follow up with a detailed email outlining findings and measures taken to prevent any further data theft/loss.
5.7 Provide detailed instructions to customers, if any action is required to be taken by them, to prevent further damage.
5.8 Ensure all notifications occur within any mandated timeframes.
6 Review the incident and take action to prevent future breaches
6.1 Report to senior management
(a) prepare a report that includes all known facts about the Data Breach, mitigation plan put in place and the steps and resources needed to prevent the Data Breach from reoccurring; and
(b) present the plan to prevent reoccurrence of the Data Breach, progress made on the mitigation plan as well as potential risks and roadblocks.
6.2 Educate employees
(a) once the incident is resolved, inform employees of their specific role in the event of a data loss/theft; and
(b) require employees to periodically undergo security training courses.
6.3 Preventing future data theft/loss
(a) if the Data Breach was caused by a third-party application or operating system, immediately update the software. Where an update is not available, inform the vendor about the incident and seek their help to find a fix.
(b) evaluate current software update guidelines/schedules and make amendments as necessary;
(c) evaluate security measures already in place, identifying and eliminating weaknesses and implementing new data access controls as necessary;
(d) where the Data Breach is caused due to a user or employee error, educate the end users and employees. Verify if employees are keeping mobile devices and laptops secure and changing passwords as per policy;
(e) review how third parties are managing company data and if they are meeting agreed data protection standards;
(f) harden IT security as necessary. Evaluate allowing only encrypted communication;
(g) if any action is required from other customers to safeguard their data, create a detailed write-up explaining the actions customers are required to take and send out a communication to all customers.
7 Testing this plan
7.1 The response team should test this plan with a hypothetical data breach annually to ensure that it is effective.
8 Response Team and Responsibilities
8.1 The following table outlines key personnel/departments, their contact information and their responsibilities in case of a Data Breach.
| Â Person | Responsibility | Phone | |
| George Zhu | Privacy Officer | 0480 130 756 | [email protected] |
