What is a data breach?
A data breach occurs when personal information that an entity holds is subject to unauthorised access or disclosure, or is lost.
Personal information is information about an identified individual, or an individual who is reasonably identifiable. Entities should be aware that information that is not about an individual on its own can become personal information when it is combined with other information, if this combination results in an individual becoming ‘reasonably identifiable’ as a result.
A data breach may be caused by malicious action (by an external or insider party), human error, or a failure in information handling or security systems.
Examples of data breaches include:
- Loss or theft of physical devices (such as laptops and storage devices) or paper records that contain personal information
- Unauthorised access to personal information by an employee
- Inadvertent disclosure of personal information due to ‘human error’, for example an email sent to the wrong person
- Disclosure of an individual’s personal information to a scammer, as a result of inadequate identity verification procedures.
As a respondent, your personal details may be given to us via our client with whom you have an existing relationship. These details are used solely for the purposes of contacting you and are not passed on to other parties.
Are all data breaches notifiable?
Not all data breaches require notification. The Office of the Australian Information Commissioner defines a data breach as notifiable when:
- There is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation or agency holds;
- This is likely to result in serious harm to one or more individuals, and
- The organisation or agency hasn’t been able to prevent the likely risk of serious harm with remedial action
An organisation or agency that suspects an eligible data breach may have occurred must quickly assess the incident to determine if it is likely to result in serious harm to any individual.
What measures has Lonergan taken against data breaches?
As we frequently work with personal and oftentimes sensitive data, Lonergan employs several best practices to ensure that in the event of a data breach, minimal damage is done to the affected parties.
- Storing all data, personal or otherwise on a secure server and deleting personal information 3 months after project completion, unless otherwise agreed upon;
- Ensuring all company workstations are protected by enterprise endpoint cybersecurity solutions;
- Enforcing multi-factor authentication for staff web and email logins;
- Ensuring files are not taken offline wherever possible;
- Securely disposing of sensitive documents via shredding;
- Trusted medium encrypted data transfers for files containing sensitive data, and
- De-identifying respondent data where not relevant to projects
What happens in the event of a data breach?
Any data breaches that may occur are investigated. Regardless of the impact, vulnerabilities left unchecked can lead to further exploitation and more serious consequences. All Lonergan staff are aware of the company data breach response plan, and are trained to follow it accordingly.
If any staff experience a data breach, or suspect a data breach, staff will record and advise the data breach response team of the time and date the suspected data breach was discovered, the type of personal information involved, the cause and extent of the breach, and the context of the affected information and the breach.
The data breach response team will then carry out four key steps:
Contain the breach and perform a preliminary assessment
Once a breach has been identified, immediate steps are taken to ensure the breach is contained. Some examples include shutting down/quarantining the affected system, changing passwords/access codes, and recalling offending or vulnerable data (i.e. emails sent by accident).
Assess the risk of harm
After a breach has been contained, the data breach response team will assess the risk of harm. This includes investigating:
- The nature, sensitivity and volume of personal information involved in the data breach;
- The circumstances of the data breach, including its cause and extent;
- The nature of the potential harm to the affected individuals
Although Lonergan takes steps to ensure each and every respondent’s data is secured, not all data breaches may have serious consequences. For example, if an email address is leaked, the level of risk is lower than where a breach involves the disclosure of information that exposes the individual to identity theft.
Notify affected individuals
Regardless of the severity of the data breach, the main deciding factor is considering whether there is a foreseeable risk of harm to affected individuals. This risk assessment is conducted in the previous step in accordance with the Lonergan data breach response plan.
Where a data breach meets the criteria for a notifiable breach as stated above, affected individuals will be notified as soon as possible, alongside the Office of the Australian Information Commissioner as per the Notifiable Data Breach Scheme under the Privacy Act 1988.
After a data breach is resolved, Lonergan will conduct a review process with two objectives:
- Implementing key learnings to improve the data breach response process
- Identifying areas of improvement in information handling practices
The review may involve a security audit, re-evaluation of employee training practices, and a review of the data breach response process such that similar incidents do not occur again, and other incidents are handled swiftly.