Obligations to respond appropriately to data breaches

To determine how to respond to a data security breach, a service provider should determine:

  • what is the nature of the data security breach;
  • what is/are the cause(s) of the data security breach;
  • who is the perpetrator of the breach:
  • who is affected by the data security breach; and
  • what are the potential consequences for the service provider and those affected by the data security breach.

A service provider should have one or more decision-makers (ie a response team) who are responsible for:

  • assessing the nature and cause(s) of a data security breach;
  • who is the perpetrator of the breach;
  • identifying who is affected and what the potential consequences are; and
  • deciding upon an appropriate course of action for the service provider in relation to a data security breach.

It is important for a service provider to first identify the nature of a data security breach, to help it determine and plan an appropriate response.

It is also important for a service provider to identify the cause(s) of a data security breach, to help it determine an appropriate response.

Once a service provider has identified the nature and cause(s) of the data security breach, it can:

  • prepare its response plan; and
  • implement remedial measures to seek to avoid any recurrences of the data security breach.

The nature of a data security breach, eg a breach of the Privacy Act 1988 (Cth) or a breach of a commercial contract in relation to privacy or data security, may require notification to affected parties or regulators within specified periods of time, and may also require a level of cooperation and disclosure in relation to subsequent investigations. See Overview — The data breach notification regime.

It is also important for a service provider to identify the actual and potential consequence(s) of a data security breach.

Promptly upon becoming aware of a data security breach, a service provider should ensure that key internal stakeholders are:

  • alerted to the occurrence of the data security breach; and
  • given sufficient information in relation to the data security breach as soon as possible to enable them to assess the potential impacts of the occurrence.

There is a range of issues for a service provider to consider when responding to a data security breach where the service provider is at fault, including breach notification requirements and communications with affected parties.

There is also a range of issues for a service provider to consider when it is affected by a data security breach by another organisation.