Data Breach Policy
1. Purpose
This policy describes how Bernadette Meyers will respond to a data breach, in adherence to the Privacy Act 1988.
It is Bernadette Meyers’s belief that clear roles, responsibilities and procedures will serve as the foundation as a comprehensive privacy program.
This policy outlines:
the steps that Bernadette Meyers will take to contain, assess, notify, and review any data breaches that might occur; and
Notifiable Data Breaches and how Bernadette Meyers will address them if they occur.
All Bernadette Meyers employees, officers, representatives or advisers (‘Employees’) are required to understand and act in accordance with this policy.
2. Data Breach Definition
A data breach occurs when personal information or intellectual property held by Bernadette Meyers is subject to unauthorised access, disclosure, modification, or is lost. Data breaches can occur in a number of ways, including but not limited to:
Unauthorised Third-party security breaches (e.g. Hackers)
Unauthorised access, disclosure or modification by Employees and users
Data breaches of Third-party services used by Bernadette Meyers that affect user data
Implementation of a vendor risk management program to assess and monitor third-party service providers' data security practices and ensure they align with 's standards
Specific to Bernadette Meyers’s business, the following have been identified as possible data breach sources:
Accidental loss, unauthorised access, or theft of classified material data or equipment on which such Bernadette Meyers data is stored, such as company Laptops and USBs.
Unauthorised use, access to, or modification of data on Bernadette Meyers’s cloud databases.
Accidental disclosure of Bernadette Meyers user data or intellectual property, such as via email to an incorrect address.
Unauthorised data collection by third parties posing as Bernadette Meyers, e.g. Phishing Scam
Failed or successful attempts to gain unauthorised access to Bernadette Meyers information or information systems
Unauthorised data collection by third parties through Malware infections on Bernadette Meyers cloud databases, or hardware equipment.
Regular security updates and patch management for all systems and devices to mitigate vulnerabilities that could lead to data breaches.
3. What to do if a Data Breach is Suspected?
All Bernadette Meyers Employees who are aware of, informed of, or suspect a data breach must inform Bernadette Meyers’s IT team immediately. The IT team must then assess the suspected breach to determine whether or not a breach has in fact occurred. If a data breach has, in fact, occurred, then the IT team will manage the breach according to the steps outlined in the Data Breach Management Plan.
4. Data Breach Response Plan
In accordance with OAIC recommendations, the following steps will be taken in response to a verified Data Breach.
Contain the breach as soon as possible. Containment is ensuring that the breach itself is stopped. How a breach is stopped would depend on the particular instance but can include:
The suspension of compromised accounts;
Removal of malware, where identified;
Temporary platform downtime if necessary;
Recovering any lost data, if possible;
Repairing unauthorised modification of data, if possible;
Restoring access to the platform when able.
Assess the risks involved and the repercussions on respective stakeholders. The following may be considered in assessing the stakeholder risks:
The type of information involved;
Establish the cause and the extent of the breach;
Assess the risk of harm to affected persons;
Assess the risk of other harms: reputational damage;
Notify Management and Affected Individuals where appropriate;
Management must be notified of breaches as and when they occur, whether or not the breach is an eligible breach under the Notifiable Data Breach Scheme;
Bernadette Meyers is an APP 11 entity under the Privacy Act 1988 (Cth) and is and must, therefore, comply with its obligations under the Notifiable Data Breach Scheme;
Data Breaches that are not eligible under the Notifiable Data Breach Scheme need not be reported and may be addressed internally.
Prevent future similar breaches through strengthening security infrastructures and/or policies
Establish a dedicated Data Breach Response Team with clearly defined roles and responsibilities for each member, including IT, legal, communications, and management representatives.
5. Notifiable Data Breach Scheme
Under the Notifiable Data Breach Scheme, Bernadette Meyers is obliged to report data breaches that satisfy the following criteria:
there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that Bernadette Meyers holds;
That the unauthorised access to or disclosure of, or loss of personal information is likely to result in serious harm to one or more individuals; and
Bernadette Meyers has not been able to prevent the likely risk of serious harm with remedial action.
For further information on how to assess a notifiable data breach, Bernadette Meyers must refer to the OAIC’s APP guidelines.
Where Bernadette Meyers suspects that an eligible breach has occurred, it must carry out a reasonable and expeditious assessment of the breach: s 26WH(2)(a) of the Privacy Act. Where possible, the assessment must be completed within 30 days of Bernadette Meyers becoming aware of information that causes it to suspect that an eligible breach has occurred. If Bernadette Meyers is unable to complete the assessment within 30 days, a written document must be written which addresses:
how all reasonable steps have been taken to complete the assessment within 30 days;
the reasons for the delay; and
that the assessment was reasonable and expeditious.
Where an Eligible Breach has occurred, Bernadette Meyers must inform affected users AND the Privacy Commissioner. Bernadette Meyers is allowed to disclose eligible breaches to users in either of the following ways:
It may notify all Bernadette Meyers users
It may notify affected Bernadette Meyers users
It may publish a notification on its website
(d) It may conduct a post-breach review to identify lessons learned and implement necessary improvements to prevent future similar incidents
Disclosure of eligible breaches to the Privacy Commissioner may be done by online form.
For more information on disclosing Eligible Breaches under the Notifiable Data Breach Scheme, please refer to the OAIC’s webpage on the topic.
6. Disciplinary Consequences
Bernadette Meyers reserves the right to monitor Employees’ use, access and modification of the company’s data, and initialise an investigation if cases where an employee conducts an action that is in breach of this policy.
All Employees should handle Bernadette Meyers’s data with due diligence in accordance with this policy and any related policies. If an employee’s action or omission that is prohibited under this policy causes a disruption of integrity to the data system or leads to a breach defined in the Privacy Act, the employee may face severe disciplinary action up to and including termination at the discretion of Bernadette Meyers.
7. Regular audits and assessments of Bernadette Meyers's data protection measures and compliance with this policy, to be conducted at least annually or after any significant changes to data processing activities.