Home' MHD Supply Chain Solutions : MHD Spt-Oct 2015 Contents still sometimes be personal information, so
you may have ongoing privacy law obligations
even after de-identifying the data. Certain
recent data breaches in Australia have high-
lighted that organisations are not always good
at deleting or de-identifying personal informa-
tion once they no longer need it.
• Engage suitable third parties to test your data
Being ready to respond
to a data breach
Hopefully, you'll never face a serious data
breach. But if you do, you'll need to be ready to
respond very quickly and sensibly. You should
develop a data breach response plan now, so
that you're ready to respond straight away if an
We recommend that you designate a single
position within your organisation with responsi-
bility for data security and developing and main-
taining a data breach response plan. Commonly
this is the chief technology officer.
You should also designate a team of people
who will manage any data breach response. If
an incident occurs, your organisation needs to
be clear about who is responsible for managing
the response. The team should comprise senior
managers such as the chief technology officer,
the privacy officer and representatives of the
legal, public relations and HR teams.
Include the following in your data breach
• A checklist to follow in order to understand
the nature and extent of the data breach, to
understand its cause, to contain the breach
and to preserve the evidence.
• A framework for evaluating the risks flowing
from the breach. What is likely to happen to
the data the subject of the breach? Is any
other data in immediate danger?
• Guidance on how to decide whether to notify
the affected individuals and the Privacy
Commissioner. It is not currently mandatory
to report a data breach, although the law
may be changed later this year to make
it mandatory. At the moment the Privacy
Commissioner recommends you notify an
individual if the breach creates a real risk
of serious harm to him/her. A serious data
breach should also be reported to the Privacy
Commissioner (although again, this is not cur-
rently mandatory). Plan for how you will notify
individuals. If you do have to notify, consider
sending hard copy letters because email
messages of this type may be mistaken for
spam or "phishing" emails. Include a template
letter in your Data Breach Response Plan.
• Instructions on how communications with
the media, the general public and your
business partners should be handled. Do
you have any contractual obligations that
require you to notify business partners? How
will you quickly put 1800 numbers and web
pages in place if needed to respond to a
large volume of queries?
• A checklist to follow to determine what
changes you need to make to prevent
further breaches. Possibilities might include
improving security, additional training for staff
and changes to data collection, storage or
processing practices. Changes to your recruit-
ment process, internal privacy and security
policies, and agreements with third parties
might also come into consideration.
• A list of contact details for people you may
need to contact quickly. This might include
your key customers, service providers who
help you to store or process data, police,
regulators in your sector and external lawyers
and public relations advisers. Your insurers
and key business partners should also be
added to the list.
Develop your data breach response plan so
that it's consistent with, and part of, your organi-
sation's broader crisis management framework.
Treat risk management as an ongoing task
and not a 'set and forget' proposition. You need
to continually review your risk profile and the
measures you have in place to manage risk.
There is more information about how to
prepare for and respond to a data breach in
the Privacy Commissioner's Guide to Handling
Personal Information Security Breaches at
While nobody expects a data breach to
happen at their organisation, these things do
happen to some organisations. Whether you
have a good data breach response plan in place
may make all the difference between a manage-
able outcome and an outcome that is very bad
for the organisation and its senior management.
David Smith is a partner specialising in
intellectual property and technology with
Gadens Lawyers. For more information call
+61 3 9252 2563 or email david.smith@
"Develop your data breach response plan so that
it's consistent with, and part of, your organisation's
broader crisis management framework."
DATA DISASTER #1: TARGET USA
The US retailer Target suffered two enormous data breaches in late 2013. Up to 110 million
customers were affected. Around 40 million sets of credit card details were stolen. Target was
criticised for not being quick enough to let the public know about the breach. Phone lines and
social media sites were swamped in the aftermath. Target's share price dropped by close to
20% after the breach and took around 12 months to recover. Target ran full-page apology ads in
over 50 newspapers. In March 2014, the company's CIO resigned. In May 2014, the company
president/CEO stepped down. Target is paying significant sums to resolve a class action lawsuit
that followed the breach.
DATA DISASTER #2: KOREAN BANKS
In early 2014, an employee from Korea Credit Bureau stole information relating to about 20
million debit and credit card holders and sold it on to marketing companies. In the fallout, the
CEO of the three affected Korean card issuing banks resigned. Immediately after the incident
was announced, card holders were frustrated when the banks' websites and call centres were
overwhelmed and long queues formed in branches.
DATA DISASTER #3: STATE OF UTAH
The public sector is not immune. In 2012, the IT infrastructure of the State of Utah was hacked and
personal data, including social security numbers, of nearly 800,000 people were taken. The Governor
of Utah apologised for the failure to protect the personal information and fired the state CIO.
MHD SUPPLY CHAIN SOLUTIONS --- SEPTEMBER / OCTOBER 2015 65
SUPPLY CHAIN 65
Links Archive MHD May-Jun 2015 MHD Nov-Dec 2015 Navigation Previous Page Next Page