Mandatory Data Breach Notification - Tips and Traps
This article is an extract from Mandatory Data Breach Notification – Tips and Traps. Click here to download the whitepaper.
Do you expect to advise corporate clients in the face of changing legislation this year? Are you already advising on other cyber risk matters? Technology is moving fast and altering the legal landscape of your clients, and we at LexisNexis are keeping our finger on the pulse of change – with the help of our expert authors.
Cheng Lim, Partner at King & Wood Mallesons, focuses on some of the subtleties and nuances of Mandatory Data Breach Notification requirements. His recent article, Mandatory Data Breach Notification – Tips and Traps sets out key aspects of the legislative changes that may not be immediately obvious.
With the new regime in effect now, APP entities should have already taken steps to ensure they have robust policies and procedures to enable them to comply with the new mandatory data breach notification regime. However, if they have not done so, it’s not too late to get started!
The steps that should be taken, at a minimum, include:
- updating incident management plans. Plans should provide clear, concise guidelines and procedures for immediate response to suspected breaches. Plans should also cover team composition with clear roles and responsibilities (including media, corporate affairs, regulatory, privacy, legal, senior management and technology), contact numbers, escalation procedures, and pro-forma notification documentation;
- training and education. Staff should be trained and appropriately equipped to manage cyber security risk, and to identify breaches and initiate the incident management plan should it be required; and
- reviewing contracts. Contracts should be amended to include provisions designed to ‘fill in the blanks’ created by the new mandatory data breach notification regime. In particular, the contracts should address the party responsible for breach assessment and notification. They should also give customers clear audit and information rights if a breach does occur.