Responding to a data security breach as it occurs

To determine how to respond to a data security breach involving the personal information of one or more individuals, the organisation should determine:

  • what is the nature of the data security breach;
  • what is/are the cause(s) of the data security breach;
  • who is affected by the data security breach; and
  • what are the potential consequences for the organisation and those affected by the data security breach.

An organisation should have one or more decision-makers (ie a response team) who are responsible for:

  • assessing the nature and cause(s) of a data security breach;
  • identifying who is affected and what the potential consequences are; and
  • deciding upon an appropriate course of action for the organisation in relation to a data security breach.

It is important for an organisation to first identify the nature of a data security breach, to help it determine and plan an appropriate response.

It is also important for an organisation to identify the actual and potential consequence(s) of a data security breach.

This will help the organisation to prepare an appropriate response to the data security breach, including what actions and organisational resources are required to achieve an appropriate response.

Promptly upon becoming aware of a data security breach, an organisation should ensure that key internal stakeholders are:

  • alerted to the occurrence of the data security breach; and
  • given sufficient information in relation to the data security breach as soon as possible to enable them to assess the potential impacts of the occurrence.

An organisation may need to develop a different response depending on whether it is at fault or whether another organisation or person is at fault.

Such response should take into account a range of considerations, including complying with any relevant contracts with affected parties and communications with affected parties.