Consultation Paper - Draft Voluntary Information Security Breach Notification Guide - April 2008
- How to comment on this consultation paper
- Acknowledgements
- PART A
- About this Consultation Paper
- PART B
- Draft Voluntary Information Security Breach Notification Guide - April 2008
- 1. The purpose of this guide
- 2. Scope of this guide
- 3. Who should use this guide?
- 4. What is an information security breach?
- 4.1 Terminology-'data', 'privacy' or 'security' breaches?
- 5. Preventing information security breaches
- 5.1 Obligations under the Privacy Act
- 5.2 Other obligations
- 5.3 Considerations for keeping information secure
- 6. Why breach notification is good privacy practice
- 7. Four key steps in responding to a breach
- STEP 1: Contain the breach and do a preliminary assessment
- STEP 2: Evaluate the risks associated with the breach
- An example of evaluating the risks associated with the breach
- STEP 3: Consider notification
- (a) Deciding whether to notify affected individuals
- (b) Process of notification
- (c) What should be included in the notification?
- (d) Others to Contact
- STEP 4: Prevent future breaches
- Tips for preventing future breaches
- 8. The Role of the Office of the Privacy Commissioner
- 9. Schematic guide to breach notification
- Appendix A
How to comment on this consultation paper
Comments on the consultation paper may be emailed to consultation@privacy.gov.au. Alternatively, they may be posted to:
Information Security Breach Notification Consultation
Office of the Privacy Commissioner
GPO Box 5218
Sydney NSW 2001
If you would like to discuss the consultation paper, please contact us on
1300 363 992.
Comments are invited by 16 June 2008.
Acknowledgements
The Office of the Privacy Commissioner acknowledges the informative work undertaken by the Office of the Privacy Commissioner of Canada, the Offices of the Information and Privacy Commissioner of British Columbia, Ontario and Alberta and the Office of the Privacy Commissioner of New Zealand in the area of privacy breach notification information and guidance. The draft Voluntary Information Security Breach Notification Guide presented in this consultation paper builds on the guidance material produced by those Offices.
PART A
About this Consultation Paper
1. Purpose
The aim of this consultation paper is to seek stakeholder views on a draft voluntary information security breach notification guide (the draft guide) developed by the Office of the Privacy Commissioner (the Office) to assist public sector agencies and private sector organisations to respond effectively to an information security breach.
The consultation paper appears in two main parts. This section (Part A) of the consultation paper provides background on breach notification as well as a number of questions which stakeholders may like to consider when commenting on the draft guide.
It is followed in Part B by the draft guide itself, which provides an outline of the key steps agencies and organisations should consider taking when responding to an information security breach, including considering breach notification to affected individuals.
2. Background
Information security breaches of personal information are a risk to individuals, agencies and organisations. Over the past few years, incidents in Australia and overseas have illustrated the importance of adequate information security and the consequences that breaches can have. These consequences can include both adverse outcomes for individual privacy, and for the reputation and activities of agencies and organisations that were responsible for the information.
The serious nature of information security and the issue of what is the appropriate response to an information security breach have been highlighted by several major high-profile data breaches occurring in the United Kingdom and the United States which have collectively resulted in the loss of millions of people's personal information.
Such events are of particular concern with an increasing incidence of identity theft and identity fraud around the world, a concern reflected in the Australian community. For example, the Office's Community Attitudes to Privacy 2007 research found that 60% of individuals are concerned about becoming a victim of identity fraud or theft, with 9% indicating they had been a victim themselves and 17% personally knowing someone who has been a victim.[1]
Countries have introduced a range of measures in an attempt to address these issues. Following the introduction of breach notification laws in California in 2002, a further 40 states in the United States have introduced such laws. The Commission of the European Communities also proposed the introduction of security breach notification provisions for network operators and internet service providers in its 2006 Review of the EU Regulatory Framework for electronic communications networks and services.[2] In Canada, privacy regulators at both the federal and provincial level have developed voluntary guidelines for responding to data breaches. New Zealand has also adopted guidelines developed along similar lines.
In Australia, the Privacy Act 1988 (Cth) (Privacy Act) does not specifically require an agency or organisation to notify individuals or the Privacy Commissioner of a breach of information security. However the issue of an amendment to the Privacy Act to require mandatory data breach notification is under consideration as part of the Australian Law Reform Commission's (ALRC) review of privacy.
In recognition of the global trends in this area and to respond to requests from agencies and organisations, the Office has developed a voluntary guide to assist agencies and organisations to respond to information security breaches and take steps to prevent such incidents from occurring. The draft guide has been informed by voluntary guidelines adopted by the Privacy Commissioner of Canada and the New Zealand Privacy Commissioner.[3]
It is the Office's view that breach notification in certain circumstances is good privacy practice and reflects key privacy principles. In particular, notifying individuals of a breach to the security of their personal information allows individuals to take steps to protect their personal information. In this way notification can enhance an agency or organisation's transparency and openness with individuals; an important part of consumer trust and confidence. It would also provide a strong market incentive for agencies and organisations to adequately secure the personal information they hold.
3. Relationship of the draft guide to law reform proposals
The issue of information security breach notification laws for Australia is currently under consideration by the ALRC as part of its review of the Privacy Act. In its 2007 Discussion Paper Review of Australian Privacy Law, the ALRC made a preliminary reform proposal for amendments to the Privacy Act to require agencies and organisations to notify affected individuals and the Privacy Commissioner of an information security breach in certain circumstances.[4]
While the development of this draft guide precedes the ALRC's final recommendations from the review (due in the first half of 2008) and the Australian Government's consideration of those recommendations, this draft guide is not intended to be a substitute for further consideration of legislative reform in respect of mandatory breach notification.[5]
In this regard, given the benefits to individuals, organisations and agencies, the Office supports the introduction of an appropriate mandatory information security breach notification requirement for agencies and organisations.[6]
4. Some topics for consideration when commenting on the draft guide
The following questions provide possible issues for consideration when commenting on the draft guide. It is not mandatory to address these questions in your submission.
- 1. Is the terminology 'information security breach' appropriate? Would another term be more appropriate?
- 2. Are the steps in the draft guide adequate and easy to follow? In your opinion, are any steps missing?
- 3. Are the examples realistic and relevant? Are there any other specific scenarios that might warrant inclusion as a way of illustrating a particular aspect of breach notification?
- 4. What amendments could be made to improve the clarity and accessibility of the document? For example, how might the drafting, language and formatting of the document be made clearer?
- 5. Are there any details not contained in the draft guide that, in your view, need to be included?
- 6. Do you consider this a useful model for your own organisational or agency response to information security breaches?
- 7. Is the guidance on when, how and who to notify in the event of an information security breach clear? Are there further aspects to notification that would benefit from explanation?
- 8. Is the Privacy Commissioner's role in the notification process sufficiently clear? Would more or less information be useful?
- 9. Are there any terms in the draft guide that would benefit from definition?
- 10. Are there any other issues you would like to raise?
Comments on the consultation paper may be emailed to consultation@privacy.gov.au. Alternatively, they may be posted to:
Information Security Breach Notification Consultation
Office of the Privacy Commissioner
GPO Box 5218
Sydney NSW 2001
If you would like to discuss the consultation paper, please contact us on
1300 363 992.
Comments are invited by 16 June 2008.
PART B
Draft Voluntary Information Security Breach Notification Guide - April 2008
1. The purpose of this guide
This guide has been developed to assist agencies and organisations to respond effectively to an information security breach. In particular, the guide explains when an effective response to an information security breach might include notification of individuals affected by the breach.
The Office has developed this guide to respond to requests from agencies and organisations and in recognition of the global trends towards breach notification. Breach notification has been introduced as law in many states in the United States and is being considered by other countries including Australia. This voluntary guide has been informed by voluntary guidelines developed by the Privacy Commissioner of Canada and the Privacy Commissioner of New Zealand.[7]
2. Scope of this guide
Breach notification is one particular option in responding to an information security breach. However a key challenge is to determine in what circumstances it is an appropriate response. While establishing appropriate thresholds for requiring breach notification can be considered good privacy practice, the steps and actions outlined in the guide are not specifically required under the Privacy Act 1988 (the Privacy Act). Therefore, compliance with this guide is voluntary.
The aim of this guide is to provide general guidance on key steps and factors for agencies and organisations to consider when responding to an information security breach, without the sole focus being notification of breaches. In this way the guide encourages a risk-analysis approach so that agencies and organisations evaluate an incident on a case-by-case basis and make decisions on actions to take according to their own assessment of risks and responsibilities in their particular circumstances.
The guide also highlights the importance of preventative measures as part of a holistic information security plan.
It is important to note that, while the guidance is not mandatory and is of an advisory nature only, agencies and organisations do have binding legal obligations under the Privacy Act to secure personal information, as set out in the Information Privacy Principles (IPPs) and National Privacy Principles (NPPs).
3. Who should use this guide?
This guide has been developed for use by Australian and ACT Government agencies and private sector 'organisations'[8] that handle personal information. As well as businesses, organisations in the not-for-profit, community and charity sectors may find the guide useful.
The guide may also be useful to small businesses that have obligations under Part IIIA of the Privacy Act.
Government agencies of the states and the Northern Territory, as well as private sector businesses not covered by the Privacy Act, may find the guide helpful in outlining good privacy practice. However, the Privacy Commissioner would not have a role in receiving notifications about information security breaches from these entities.
State and Northern Territory government agencies should also consider the role of relevant Privacy or Information Commissioners in their own jurisdictions.
4. What is an information security breach?
An information security breach occurs when personal information is exposed to unauthorised access, use, disclosure or modification as a result of a breach of an agency's or organisation's information security.
Information security breaches can occur in a number of ways. Some of the most common information security breaches happen when personal information held by an agency or organisation is lost, misused, mistakenly disclosed or stolen. Some examples include:
- laptops, removable storage devices, or physical files containing personal information becoming lost or stolen
- an agency or organisation mistakenly providing personal information to the wrong person, for example by sending details out to the wrong address
- an individual deceiving an agency or organisation into improperly releasing the personal information of another person
- databases containing personal information being 'hacked' into or otherwise illegally accessed by individuals outside of the agency or organisation and
- employees accessing personal information outside the requirements of their employment.
It is important to recognise that information security breaches are not limited to external malicious actions, such as theft or 'hacking', but may just as often involve internal errors and failures to follow established information handling procedures. While there may be no harm intended, these types of security breach can affect individuals' privacy as much as malicious actions.
Although a key concern relating to information security breaches is the risk of identity theft or fraud (particularly where credit card information is compromised), the risks from information security breaches are not limited to financial harm-for example, leaks of details about an individual's personal affairs or health information can cause other types of harm such as humiliation, damage to reputation or relationships and loss of business or employment opportunities.
4.1 Terminology-'data', 'privacy' or 'security' breaches?
A range of jurisdictions have adopted laws or guidelines in relation to breach notification. As a result, a range of different terminology has been adopted, with terms such as 'data breach', 'privacy breach' and 'security breach' being used.
This guide uses the term 'information security breach', for two main reasons. Firstly, the reference to 'information' reflects the focus of the Privacy Act on the protection of 'personal information', and is used in preference to the term 'data' which is generally not used in the language of the Privacy Act. [9] Secondly, the reference to 'security' emphasises that security is one particular aspect of protecting information privacy, and is used in preference to the term 'privacy breach' which could be construed more broadly as encompassing breaches of other privacy principles, for example, the obligations on agencies and organisations to keep information accurate, complete and up to date.
5. Preventing information security breaches
Information security is a basic principle in the protection of information privacy.[10] In Australia, this principle is reflected in the Privacy Act in both the IPPs and the NPPs.
5.1 Obligations under the Privacy Act
The IPPs regulate the way most Australian and ACT Government agencies handle personal information. These principles cover the collection, storage, use, disclosure and access obligations of those agencies.
The NPPs regulate the way private sector organisations handle personal information. These principles cover collection, storage, use, disclosure and access obligations of organisations covered by the Privacy Act. In general the NPPs apply to all businesses and non government organisations with a turnover of more than $3 million, all health service providers and a limited range of small businesses.[11]
Agencies and organisations are required to take reasonable steps to protect the personal information they hold from misuse and loss and from unauthorised access, modification or disclosure. This requirement is set out in IPP 4 for public sector agencies and NPP 4 for private sector organisations.[12] (See Appendix A for IPP 4 and NPP 4.)
In addition, section 18G(b) of the Privacy Act imposes equivalent obligations on credit reporting agencies and all credit providers. Similarly, guideline 6.1 of the statutory guidelines regulating Tax File Numbers (TFN) requires TFN recipients to afford TFNs security safeguards as are reasonable in the circumstances.
5.2 Other obligations
Many agencies are subject to agency-specific legislative requirements that add further privacy protections (such as secrecy provisions), as well as legislative and other requirements which apply more generally across government.[13]
Organisations may also be subject to additional obligations through sectoral specific-legislation in respect of particular information they hold. For example, Part 13 of the Telecommunications Act 1997 (Cth) sets out obligations on the telecommunications industry in relation to the handling of certain telecommunications-related personal information. Some organisations may also have common law duties relating to confidentiality of particular information.
These additional obligations need to be considered by agencies and organisations when taking steps to prevent or respond to information security breaches.
5.3 Considerations for keeping information secure
While the focus of the guide is the process of responding to an information security breach agencies and organisations should aim to avoid such breaches in the first place by ensuring that they have appropriate security safeguards in place consistent with IPP 4 or NPP 4.
What are reasonable steps to secure personal information will depend on the agency or organisation's particular circumstances. Generally, the steps agencies and organisations should take to keep personal information secure should be proportionate to the type of the information held, how it is held and what risks could be associated with its mishandling. Some relevant factors could include:
- the sensitivity to the individual of the personal information the organisation holds
- the harm that is likely to result to people if there is a breach of security
- how the agency or organisation stores, processes and transmits the personal information (for example, paper-based or electronic records, or using a third party service provider).
Appropriate security safeguards for personal information need to be considered across a range of areas. This could include maintaining physical security, computer and network security, communications security and personnel security. To meet their information security obligations, agencies and organisations should consider the following steps:
- risk assessment - identifying the security risks to personal information held by the organisation and the consequences of a breach of security
- policy development - developing a policy or range of policies that implements measures, practices and procedures to reduce the identified risks to information security
- staff training - training staff and managers in security awareness, practices and procedures
- technology - implementing privacy enhancing technologies to secure personal information held by the agency or organisation
- monitor and review - monitoring compliance with the security policy, periodic assessments of new security risks and the adequacy of existing security measures, and ensuring that effective complaint handling procedures are in place
- standards - looking at relevant Australian and international standards as a guide and
- privacy impact assessments and audits- evaluating, in a systemic way, the degree to which proposed or existing information systems align with good privacy practice and legal obligations.
In seeking to prevent information security breaches, agencies and organisations should consider their other privacy obligations under the IPPs and NPPs. Some breaches or risks of harm can be avoided or minimised by not collecting particular types of personal information or only keeping it for as long as necessary. Consider:
- What personal information is necessary to be collected? Simply put, personal information that is not collected can not be mishandled, so why risk collecting unnecessary information? Both IPP1 and NPP1 require that agencies only collect personal information that is necessary for one or more of its functions or activities. IPP 3 also requires that a collector of personal information take steps to ensure that the information collected is relevant to the purpose for which it was collected.
- How long does the personal information need to be kept? NPP4.2 requires organisations to securely destroy or permanently de-identify information that is no longer needed for the permitted purposes for which it may be used or disclosed. Although the IPPs do not contain a similar obligation, agencies should nevertheless consider retention practices, subject to other applicable record-keeping requirements.
6. Why breach notification is good privacy practice
Both the Information Privacy Principles (IPPs) and the National Privacy Principles (NPPs) in the Privacy Act 1988 require that personal information be held securely. Failure to comply with security principles constitutes an interference with privacy under the Privacy Act.
The Privacy Act does not specifically require an agency or organisation that holds personal information to notify individuals or anyone else (such as the Privacy Commissioner) if personal information becomes accessible to unauthorised persons as a result of a breach of information security safeguards. However, notifying individuals where an information security breach affects their personal information is consistent with important privacy principles, as can be seen in the following points:
- Notification as a reasonable security safeguard: As part of the obligation to keep personal information secure,[14] notification may in some circumstances be considered as a reasonable step in the protection of personal information against misuse, loss or unauthorised access, modification or disclosure.
- Notification as openness about privacy practices: Being open and transparent with individuals about how personal information may be handled is recognised as a fundamental privacy principle.[15] Part of being open about the handling of personal information may include telling individuals when something goes wrong and explaining what has been done to try to avoid or remedy any actual or potential harm.
- Notification as restoring control over personal information: Privacy is valued, not only because it underpins our human dignity but also because it gives individuals a measure of control in their everyday interactions as to how personal information about them is handled. To this end, the Privacy Act seeks to ensure that individuals know why information is collected, what it is used for, who it is ordinarily disclosed to and provides for rights of access and correction.[16]
Notification of a breach in appropriate circumstances is consistent with good privacy practices and is to be encouraged in maintaining a community in which privacy is valued and respected. The main challenge is to determine what circumstances justify notification. This includes giving consideration to factors such as the type of personal information involved in the breach and the risk of harm to individuals amongst other things.
7. Four key steps in responding to a breach
Information security breaches can be caused by a variety of factors, affect different types of personal information and give rise to a range of actual or potential harms to individuals, agencies and organisations.
Given this context, it is clear that there is no single way of responding to an information security breach. Each incident will need to be dealt with on a case-by-case basis, undertaking an assessment of the risks involved, and using that risk assessment as the basis for deciding what actions to take in the circumstances.
There are four key steps to consider when responding to a breach or suspected breach:
Step 1: Contain the breach and do a preliminary assessment
Step 2: Evaluate the risks associated with the breach
Step 3: Consider notification
Step 4: Prevent future breaches
Each of the steps is set out in further detail below.
General tips:
- Be sure to take each situation seriously and move immediately to contain and assess the suspected breach. Breaches that may initially seem immaterial may be significant when their full implications are assessed.
- You should undertake steps 1, 2 and 3 either simultaneously or in quick succession. Step 4 provides recommendations for longer-term solutions and prevention strategies.
- The decision on how to respond should be made on a case-by-case basis. Depending on the incident, not all steps may be necessary, or some steps may be combined.
STEP 1: Contain the breach and do a preliminary assessment
Once you have discovered or suspect that an information security breach has occurred, you should take immediate common sense steps to limit the breach. For example:
- Immediately contain the breach. For example, stop the unauthorised practice, recover the records, shut down the system that was breached, revoke or change computer access codes or correct weaknesses in physical or electronic security.
- Designate an appropriate individual to lead the initial assessment. This individual should have sufficient authority to conduct the initial investigation, gather any necessary information and make initial recommendations. If necessary, a more detailed evaluation may subsequently be required.
- Determine the need to assemble a team which could include representatives from appropriate parts of the agency or organisation.
- Determine who needs to be made aware of the incident internally, and potentially externally, at this preliminary stage. Escalate internally as appropriate including informing the person within your agency or organisation responsible for privacy compliance.
- If the breach appears to involve theft or other criminal activity, notify the police. Do not compromise the ability to investigate the breach.
- Be careful not to destroy evidence that may be valuable in determining the cause or would allow you to take appropriate corrective action.
An example of breach containment and preliminary assessment
An online recruitment agency accepts résumés from jobseekers and makes these available to recruiters and employers on a password protected website.
A jobseeker whose résumé is on the site forwards the recruitment agency an email she received which she suspects is a 'phishing' email. The email is personalised and contains information from her résumé. It contains a number of spelling mistakes and offers her a job. The email claims that all she has to do to secure the job is to provide her bank accounts details so she can be paid.
While 'phishing' is common on the internet, the recruitment agency assigns a member from its IT team to undertake a preliminary assessment. It is found that the email is indeed a phishing email. It claims to be from a recruiter and directs the recipient to a website which asks them to enter further information. It also installs spyware on the recipient's computer.
The recruitment agency seeks to establish how phishers came to have the résumé details of the jobseeker. The recruitment agency's preliminary assessment reveals that the phishers have stolen legitimate user names and passwords from recruiters who use the site and have fraudulently accessed jobseeker information.
The IT team escalates the issue internally by informing senior staff members and quickly contains the breach by disabling the compromised recruiter accounts. Based on the IT team's preliminary assessment, senior staff move to evaluate risks associated with the breach and consider what actions should be taken to mitigate any potential harm.
STEP 2: Evaluate the risks associated with the breach
To determine what other steps are immediately necessary you should assess the risks to the individual associated with the breach.
Consider the following factors in assessing the risks:
- (a) What personal information is involved?
- (b) What is the cause and extent of the breach?
- (c) Who is affected by the breach?
- (d) What is the risk of harm that could result from the breach?
These factors are further expanded in the table below:
| (a) Consider what personal information is involved | |
| Considerations | Comments and examples |
| How sensitive is the information? |
Generally, the more sensitive the information the higher the risk of harm to individuals. Some personal information is more sensitive than others (eg. health information, government-issued identifiers such as Medicare numbers, driver licence and health care numbers, and financial account numbers such as credit or debit card numbers that could be used in combination for identity theft). |
| What is the context of the personal information involved? |
For example, a list of customers on a newspaper carrier’s route may not be sensitive. However, the same information about customers who have requested service interruption while on vacation may be more sensitive. While publicly available information such as that found in a public telephone directory may be less sensitive, this also depends on context. For example, what might be the implications of someone’s name and phone number being associated with the services you offer? |
| How can the personal information be used? |
Can the information be used for fraudulent or otherwise harmful purposes? The combination of certain types of sensitive personal information along with name, address and date of birth suggest a higher risk due to the potential for identity theft. |
| (b) Establish the cause and extent of the breach | |
| Considerations | Comments and examples |
| Is there a risk of ongoing breaches or further exposure of the information? | What was the extent of the unauthorised access to or collection, use or disclosure of personal information, including the number and nature of likely recipients and the risk of further access, use or disclosure, including via mass media or online? |
| Was the information lost or was it stolen? | If it was stolen, can it be determined whether the information was the target of the theft or not? |
| Is the personal information adequately encrypted, anonymised or otherwise not easily accessible? | For example, if a laptop containing adequately encrypted information is stolen, subsequently recovered and investigations show that the information was not tampered with, notification to individuals may not be necessary. |
| What was the source of the breach? | For example, did it involve external malicious behaviour, or was it an internal processing error? |
| Has the personal information been recovered? | For example, has a lost laptop been found or returned? If the information has been recovered, are there any signs that it has been tampered with? |
| What steps have already been taken to mitigate the harm? | How have you contained the breach? Are further steps required? |
| Is this a systemic problem or an isolated incident? | When checking the source of the breach, it is important to check whether any similar breaches could have occurred in the past. Sometimes, a breach can signal a deeper problem with system security. |
| (c) Consider who is affected by the breach | |
| Considerations | Comments and examples |
| How many individuals’ personal information is affected by the breach? |
Remember, if this is a systemic problem, there may be more people affected than first anticipated. While numbers can help gauge the severity of the problem it is important to remember that even a breach involving the personal information of one or two people can be serious, depending on the circumstances. |
| Who is affected by the breach: employees, contractors, the public, clients, service providers, other agencies or organisations? | Remember that certain people may be particularly at risk of harm. For example, a security breach involving name and address of a person might not always be considered high risk. However, a breach to a women’s refuge database containing name and address information may expose women who attend the refuge to a violent family member. |
| (d) Identify what is the risk of harm that could result from the breach | |
| Considerations | Comments and examples |
|
Who is the recipient of the information? |
Is there any relationship between the unauthorised recipients and the affected individuals? |
| What harm to the individuals could result from the breach? |
Examples include:
|
| What harm to the agency or organisation could result from the breach? |
Examples include:
|
An example of evaluating the risks associated with the breach
A newspaper publisher receives a call from a newsagent that sells its newspapers. The newsagent says that the address labels on the bundles of newspapers delivered to his shop appear to show subscriber information printed on the other side. The information includes names, addresses and credit card details.
Following a preliminary investigation, the newspaper publisher confirms that some labels have been inadvertently printed on the back of subscriber lists.
As a first step to containing the breach, the publisher attempts to contact newsagencies that have received the newspapers and asks them to check the labels on the bundles and securely destroy any that show subscriber details on the back.
With these first steps completed, the newspaper publisher begins to evaluate the risks associated with the breach.
The information that was involved in the breach was name, address and credit card information. The newspaper has a large number of subscribers. Further investigations into the breach are unable to reveal how many subscribers' details have been exposed.
The bundles of newspapers displaying subscriber information have been delivered to newsagencies in the early hours of the morning. The newspaper publisher notes that the subscriber information was therefore at risk of unauthorised access during the time between delivery and when the newsagents arrived to open shop.
Further investigations reveal that many newsagencies have already discarded the labels before checking could be carried out as to whether they contained subscriber information. This means that, in many cases, the subscriber lists may not have been safely destroyed.
The newspaper publisher concludes that the exposure of this information could foreseeably result in financial harm to those subscribers listed on the labels. Based on the conclusion that this is a serious breach, it moves to notify subscribers and the Privacy Commissioner of the breach. To notify as many subscribers as possible, it chooses to place a notice in the following day's newspaper.
STEP 3: Consider notification
Notification can be an important mitigation strategy that has the potential to benefit both the agency or organisation and the individuals affected by a breach. The challenge is to determine when notification is appropriate. Each incident needs to be considered on a case-by-case basis to determine whether breach notification is required.
In general, if an information security breach creates a real risk of serious harm to the individual, those affected should be notified.
Prompt notification to individuals in these cases can help them mitigate the damage by taking steps to protect themselves. You should:
- take into account the ability of the individual to take specific steps to mitigate any such harm.
- consider whether it is appropriate to inform the Privacy Commissioner of the information security breach or anyone else, such as the police, other regulators or professional bodies.
(a) Deciding whether to notify affected individuals
A key consideration in deciding whether to notify affected individuals should be whether notification is necessary in order to avoid or mitigate serious harm to an individual whose personal information has been inappropriately accessed, collected, used or disclosed.
You should consider the following factors when deciding whether to notify:
- What is the risk of serious harm to the individual as determined by step 2?
- What is the ability of the individual to avoid or mitigate possible harm if notified of a breach (in addition to steps taken by the agency or organisation)? For example, would an individual be able to have a new bank account number issued to avoid potential financial harm resulting from a breach?
- What are the legal and contractual obligations?
- What are the consequences of failing to notify affected individuals? If individuals subsequently find out about the breach through the media for example, what could be the associated loss of trust that your agency or organisation sustains?
(b) Process of notification
At this stage, you should have as complete a set of facts as possible and have completed your risk assessment in order to determine whether to notify individuals. The following tables set out some of the considerations in the process of notification:
| When to notify: | |
| In general | Other considerations |
| Notification of individuals affected by the breach should occur as soon as reasonably possible following assessment and evaluation of the breach. |
However, if law enforcement authorities are involved, check with those authorities whether notification should be delayed to ensure that the investigation is not compromised. Delaying the disclosure of details relating to a security breach of a security or information system may also be appropriate until that system has been repaired and tested or the breach contained in some other way. |
| How to notify: | |
| In general | Other considerations |
| Notification of individuals affected by the breach should occur as soon as reasonably possible following assessment and evaluation of the breach. |
However, if law enforcement authorities are involved, check with those authorities whether notification should be delayed to ensure that the investigation is not compromised. Delaying the disclosure of details relating to a security breach of a security or information system may also be appropriate until that system has been repaired and tested or the breach contained in some other way. |
| How to notify: | |
| In general | Other considerations |
|
The preferred method of notification is direct either by phone, letter, email or in person – to affected individuals. Indirect notification, either by website information, posted notices, media, should generally only occur where direct notification could cause further harm, is prohibitive in cost or the contact information for affected individuals is not known. |
Preferably notification should ‘stand-alone’ and should not be ‘bundled’ with other material unrelated to the breach, as it may confuse recipients and affect the impact of the breach notification. |
| Who should notify: | |
| In general | Other considerations |
| Typically, the agency or organisation that has a direct relationship with the customer, client or employee should notify the affected individuals, including when the breach occurs at a third party service provider that has been contracted to maintain or process the personal information. | There may be circumstances where notification by a third party is more appropriate. For example, in the event of a breach by a retail merchant of credit card information, the credit card issuer may be involved in providing the notice since the merchant may not have the necessary contact information. |
(c) What should be included in the notification?
The content of notifications will vary depending on the particular breach and the method of notification chosen. In general, the information in the notice should help the individual to reduce or prevent the harm that could be caused by the breach. Notifications should include the types of information detailed in the table below.
| Incident Description | Information about the incident and its timing in general terms. |
| Type of personal information involved |
A description of the personal information involved in the breach. Be careful not to include personal information in the notification to avoid possible further unauthorised disclosure. |
| Response to the breach | A general account of what the agency or organisation has done to control or reduce the harm, and proposed future steps that are planned. |
| Assistance offered to affected individuals |
What the agency or organisation will do to assist individuals and what steps the individual can take to avoid or reduce the risk of harm or to further protect themselves. Possible actions include arranging for credit monitoring or other fraud prevention tools, providing information on how to change a government issued identification number, personal health card or driver licence number. |
| Other information sources |
Sources of information designed to assist individuals in protecting against identity theft or interferences with privacy. For example, guidance on the Office of the Privacy Commissioner’s website www.privacy.gov.au and the Attorney-General’s Department website at http://www.ag.gov.au/www/agd/agd.nsf/page/Crimeprevention_Identitysecurity |
| Agency/ Organisation contact details | Contact information of areas within your agency or organisation that can answer questions, provide further information or address specific privacy concerns. |
| Whether breach notified to regulator | If applicable, indicate whether the agency or organisation has notified the Office of the Privacy Commissioner. |
| How individuals can lodge a complaint with the Privacy Commissioner |
Explain that if individuals are not satisfied with your agency or organisation’s efforts to resolve the issue, that they can make a complaint to the Office of the Privacy Commissioner. |
(d) Others to Contact
In general, notifying the Office, other authorities or regulators should not be a substitute for notifying individuals. However, in some circumstances in may be appropriate to notify these third parties.
| Privacy Commissioner |
Agencies and organisations may decide to report significant information security breaches to the Privacy Commissioner. This may help the Office respond to inquiries made by the public and any complaints they may receive. The Office may also be able to provide general guidance to your agency or organisation that may be helpful in responding to the breach. Notifying the Office may also enhance the public’s understanding of the incident and confidence in your agency or organisation.
|
| Police | If theft or other crime is suspected. |
| Insurers or others | If required by contractual obligations. |
| Credit card companies, financial institutions or credit reporting agencies | If their assistance is necessary for contacting individuals or assisting with mitigating harm. |
| Professional or other regulatory bodies | If professional or regulatory standards require notification of these bodies. For example, other regulatory bodies, such as the Australian Securities and Investments Commission, the Australian Competition and Consumer Commission, the Australian Communications and Media Authority and the Australian Prudential Regulatory Authority may have their own requirements in the event of a breach. |
| Other internal or external parties not already notified |
Agencies and organisations should consider the potential impact that the breach and notification to individuals may have on third parties and take actions accordingly. For example, third parties may be affected if individuals cancel their credit cards or if financial institutions issue new cards.
|
An example of notification of affected individuals
A bank customer, Margaret, receives mail from her bank. When she opens the envelope she notices that correspondence intended for another customer - Diego - has been included in the same envelope. The correspondence includes Diego's name, address and account details.
Margaret contacts the bank to report the incident. The bank asks that she return the mail intended for Diego and contacts Diego to notify him about what has occurred.
The bank apologises to Diego and advises that it will be investigating the matter to determine how the incident occurred and how to prevent it from occurring again. The bank also offers to restore the security of Diego's customer information by closing his existing account and opening a new account. In addition, the bank agrees to discuss with Diego any further action he considers should be taken to resolve the matter to his satisfaction and provides a contact name and number that Diego can use for any further enquiries.
The bank undertakes an investigation of the matter which includes getting reports from the mailing house it uses to generate and despatch customer correspondence. While the mailing house had a number of compliance measures in place to manage the process flow it appears that an isolated error on one production line meant that two customer statements were included in one envelope.
Following its assessment of the breach, the bank is satified that this is an isolated incident. However, it also reviews the compliance measures the mailing house has in place to ensure they are sufficient to protect customer information from unintentional disclosure through production errors. The bank writes to Diego and informs him of the outcome of its investigation.
An example of notification of affected individuals and Privacy Commissioner
A memory stick containing the employee records of 200 employees of a government department goes missing. Extensive searches fail to locate the whereabouts of the memory stick. The information contained in the employee records includes the names, salary information, Tax File Numbers, home addresses, phone numbers, birth dates and in some cases health information (including disability information) of current staff. Information on the memory stick is not encrypted.
Due to the sensitivity of the unencrypted information - not only the extent and variety of the information, but also the existence of health and disability information in the records - the Department decides to notify employees of the breach. It also notifies of the Office of the Privacy Commissioner of the breach and explains to that Office what steps it is taking to resolve the situation.
A senior staff member emails staff to notify them of the breach. In the notification she offers staff an apology for the breach, explains what types of information were breached, notes that the Privacy Commissioner has been informed of the breach, and explains what steps have been put in place to prevent this type of a breach occurring in the future. In the notification to staff, the senior staff member also provides staff with details about how they can have a new Tax File Number issued and informs staff that if they are unhappy with the steps the agency has taken they can make a complaint to the Office of the Privacy Commissioner.
An example of notification of affected individuals, Privacy Commissioner and police
A ticket retailer sells concert tickets at various outlets and online. Online purchases are done on a secure site using a credit card. During a routine security check, the ticket retailer discovers that the database connected to its secure site has been compromised and customer information stolen. The ticket retailer takes steps to contain the breach and then, based on its belief that criminal activity has been involved, contacts the police.
The police investigate, during which time they ask the ticket retailer not to release any information about the breach. The ticket retailer uses this period to engage a technology security firm to enhance the security of its online purchasing systems.
Once satisfied that notification will not compromise police investigations, the retailer notifies the Office of the Privacy Commissioner of the breach and then emails affected ticket purchasers. In notifying the ticket purchasers, the retailer explains exactly what happened and when; that the police have been investigating; and that the Privacy Commissioner has been notified. It also suggests that affected ticket purchasers monitor their credit card accounts and contact their financial institution if they have any concerns.
An example of notification of affected individuals, Privacy Commissioner and police
A small business that rents out household items keeps credit reports of rental applicants on site in hard copy.
A box of the reports goes missing. The small business is unable to locate the reports and fears they have been stolen. The credit reports include the name, past three addresses, drivers licence number, date of birth and employer details of rental applicants.
Based on the belief that theft may be involved, the small business alerts the police.
Due to the types of information that have been lost (which in combination may create a serious risk of identity theft) the small business judges that the breach is serious enough to warrant notification of rental applicants and the Privacy Commissioner.
The small business knows that the credit reports relate to applicants from the last two months. It decides to notify individuals who have applied for rentals during this period that information contained in their credit report may have been compromised. In the notification the small business advises individuals to monitor their credit reports for suspicious activity and commits to more secure storage of credit reports in the future.
To meet the commitment to store reports more securely, the small business undertakes to review physical security measures, including by storing reports in a locked cabinet and ensures that staff understand the importance of handling the reports appropriately.
An example of no notification
A staff member at a government department takes a memory stick out of the office so that he can work on at home. At some point between leaving the Office and arriving at home, the staff member loses the memory stick. The staff member reports it missing the next day.
Despite the assistance of the transport authority, the Department is unable to locate the memory stick. Following a preliminary assessment of the breach, the Department undertakes to evaluate the risks associated with the loss of the memory stick.
The Department first assesses what (if any) personal information may have been lost with the memory stick. While the memory stick did not contain client records, it did contain the names, phone numbers and email addresses of about 120 external stakeholders contributing to a project lead by the Department, along with email correspondence from these stakeholders.
Further evaluation of the risks associated with the loss of the memory stick reveal that data held on the stick is protected by high level encryption technology. The Department consults with its IT team to confirm that the encryption on the memory stick is adequately secure and following confirmation by the IT team, decides that notification of individuals whose personal information was held on the memory stick is not necessary.
An example of no notification
A pathologist receives a phone call from a GP with whom he has a professional relationship, advising him that the Pathologist has faxed test results to her by mistake. The test results are intended for a different GP.
The pathologist asks the GP to destroy the test results and considers whether notification of the patient is warranted.
The pathologist recognises that the GP is bound by ethical duties and is familiar with principles of confidentiality and privacy. Accordingly, the pathologist is confident that the GP can be relied upon not to mishandle the information contained in the test results and the disclosure is unlikely to pose a serious risk to the privacy of the individual.
The pathologist decides not to notify but does review his practices to avoid a similar breach occurring in the future. To reduce the chance of such mistakes happening again, the specialist puts in place a series of steps, including ensuring that administrative staff are counselled to exercise care in checking that fax numbers are accurate. The specialist also considers taking the step of routinely phoning recipients to put them on notice that results are being faxed. This reduces the risk that any fax, whether misdirected or not, will be left unattended on the machine for long periods of time, and may allow the intended recipient to let the sender know if it is not received.
STEP 4: Prevent future breaches
Once the immediate steps are taken to mitigate the risks associated with the breach, agencies and organisations need to take the time to investigate the cause of the breach and consider whether to develop a prevention plan.
A prevention plan should suggest actions which are proportionate to the significance of the breach and whether it was a systemic breach or an isolated instance.
This plan may include the following:
- a security audit of both physical and technical security
- a review of policies and procedures and any changes to reflect the lessons learned from the investigation and regularly after that (for example, security, record retention and collection policies)
- a review of employee training practices and
- a review of service delivery partners (eg. dealers and retailers).
The resulting plan may include a requirement for an audit at the end of the process to ensure that the prevention plan has been fully implemented.
Some suggestions for being prepared to respond to a breach are:
- Develop a breach response plan: while the aim should be to prevent breaches, having a breach response plan may assist in ensuring a quick response to breaches, and greater potential for mitigating harm from the breach.
A plan could set out contact details for appropriate staff that should be notified; clarify the roles and responsibilities of staff; and document processes for the agency or organisation to contain breaches, coordinate investigations and breach notifications and cooperate with external investigations. - Depending on the size of the agency or organisation, a management group responsible for responding to information security breaches could be established, with representatives from relevant areas that may be needed to investigate an incident, conduct risk assessments and make appropriate decisions (eg. privacy, senior management, IT, public affairs, legal).
The group could convene periodically to review the response plan, discuss new risks and practices, or consider incidents that have occurred in other agencies or organisations. - Include information in your agency or organisation's privacy policy about how you respond to breaches. This could include letting individuals know how they are likely to be notified in the event of a breach and whether your agency or organisation would ask them to verify any contact details or other information.
This would make clear to individuals how their personal contact information is used in the event of a breach, and may also assist individuals to avoid 'phishing' scam emails involving fake breach notifications and asking recipients to verify their account details, passwords and other personal information.
Tips for preventing future breaches
Some of the measures that have resulted from real-life information security breaches are:
- the creation of a senior position in the agency with specific responsibility for data security
- a ban on bulk transfers of data onto removable media without adequate security protection (such as encryption)
- disabling the download function on computers in use across the agency to prevent the download of data onto removable media
- secure couriers and appropriate tamper proof packaging in the transport of bulk data and
- a ban on the removal of unencrypted laptops and other portable devices from government buildings.
Technological advances are allowing increasingly larger amounts of information to be stored on increasingly smaller devices. This creates an increased risk of security breaches due to the size and portability of these devices, which can be lost or misplaced more easily when taken outside of the office. There is also a risk of theft because of the value of the devices themselves (regardless of the information they contain).
Preventative steps that agencies and organisations can take include conducting risk assessments to determine:
- whether and in what circumstances (and by which staff), personal information is permitted to be removed from the Office, whether it is removed in electronic form on disks, USB storage devices, laptops and other portable devices or in physical files and
- whether their stored data, both in the office and when removed from the office, requires encryption security.
8. The Role of the Office of the Privacy Commissioner
The Office has the function of investigating possible breaches of the Privacy Act. An information security breach may constitute a breach of information security obligations under the IPPs or NPPs, and result in an interference with an individual's privacy.[17] However, the Office has no formal role in relation to breach notification and assisting agencies and organisations to respond to an information security breach.
If an individual thinks an agency or organisation has interfered with his or her privacy they can complain to the Privacy Commissioner. The Office conciliates between the parties to attempt to adequately resolve the dispute.
The Office also has the power to initiate an investigation on its own motion in appropriate circumstance without needing to first receive a complaint. In some circumstances the Commissioner may publicise information about the information management practices of an agency or organisation.
8.1 Reporting an information security breach to the Office
The Privacy Act does not specifically require agencies and organisations to report information security breaches to the Privacy Commissioner. You may however choose to notify the Office of an information security breach. The following are some potential benefits from doing so:
- An agency or organisation's decision to notify the Office on its own initiative may be viewed by the public as a positive action. It tells your clients and the public that your agency or organisation views the protection of personal information as an important and serious matter. This may enhance public/client confidence in your agency or organisation.
- It can assist the Office in responding to inquiries made by the public and managing any complaints that may be received as a result of the breach.
It is important to note that reporting a breach does not preclude the Office from receiving complaints and conducting an investigation of the incident (whether in response to a complaint or of its own motion).
If you decide to report an information security breach to the Office, the following provides an indication of what the Office can and can't do:
What the Office can do:
- Provide general information about obligations under the Privacy Act, factors to consider in responding to an information security breach and steps to take to prevent similar future incidents.
- Respond to community enquiries about the breach and explain possible steps individuals can take to protect personal information
What the Office cannot do:
- Provide detailed advice about how to respond to a breach or approve a particular proposed course of action. Agencies and organisations will need to seek own legal or other advice.
- Agree not to investigate (either using the Commissioner's 'own motion investigation' powers, or if a complaint is made to the Office) if the Office is notified of a breach.
The Office uses risk assessment criteria to determine whether to investigate a matter on its own motion. These criteria include the:
- Number of people affected and the consequences for those individuals
- Sensitivity of the personal information involved
- Progress of an agency or organisation's own investigation into the matter and
- Likelihood that the investigation will reveal acts or practices that involve systemic interferences with privacy and/or that are widespread
- What actions have been taken to minimise harm to individuals from breach, such as notifying them and/or offering to re-secure their information and
- Whether another body such as the police are investigating.
These factors are similar to those included in the risk assessment criteria for responding to an information security breach.
Also, under s 27(1)(j) of the Privacy Act, the Privacy Commissioner can inform the Special Minister of State, as the Minister responsible for the Privacy Act, of action that needs to be taken by an agency in order to achieve compliance by the agency with the IPPs.
9. Schematic guide to breach notification
Appendix A
Information Privacy Principle 4
Storage and security of personal information
A record-keeper who has possession or control of a record that contains personal information shall ensure:
- (a) that the record is protected, by such security safeguards as it is reasonable in the circumstances to take, against loss, against unauthorised access, use, modification or disclosure, and against other misuse; and
- (b) that if it is necessary for the record to be given to a person in connection with the provision of a service to the record-keeper, everything reasonable within the power of the record-keeper is done to prevent unauthorised use or disclosure of information contained in the record.
National Privacy Principle 4
Data security
- An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.
- 4.2 An organisation must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed under National Privacy Principle 2.
[1] Office of the Privacy Commissioner, Community Attitudes to Privacy 2007 (August 2007), pp 67-68, available at http://www.privacy.gov.au/business/research/index.html. The research indicated that 60% of respondents were concerned, with 17% of this total very concerned.
[2] Commission of the European Communities, Review of the EU Regulatory Framework for electronic communications networks and services', June 2006, p30, available at http://europa.eu.int/information_society/policy/ecomm/doc/info_centre/public_consult/review/staffworkingdocument_final.pdf.
[3] See Office of the Privacy Commissioner of Canada, 'Key Steps for Organisations in Responding to Privacy Breaches' (August 2007) available at
http://www.privcom.gc.ca/information/guide/2007/gl_070801_02_e.asp.
and New Zealand Office of the Privacy Commissioner draft privacy breach guidelines, available at http://www.privacy.org.nz/privacy-breach-guidelines-2/.
[4] See Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (September 2007), Chapter 47 and Proposal 47-1, available at: http://www.austlii.edu.au/au/other/alrc/publications/dp/72/ .
[5] It is anticipated that, if a mandatory notification requirement is introduced, agencies and organisations would nevertheless need to undertake some form of a risk assessment of a breach incident to determine whether they are legally required to notify affected individuals or others. For example, as proposed by the ALRC (see note 7 above), making an assessment of whether there is real risk of serious harm to affected individuals. The risk assessment approach emphasised in this guide may therefore be compatible with such future privacy law reform.
[6] See the Office of the Privacy Commissioner, Submission to the Australian Law Reform Commission's Review of Privacy - Discussion Paper 72 (December 2007), chapter 47, pp.32 and 551-517, available at http://www.privacy.gov.au/publications/alrc211207.html.
[7] See Office of the Privacy Commissioner of Canada, 'Key Steps for Organisations in Responding to Privacy Breaches' (August 2007), available at
http://www.privcom.gc.ca/information/guide/2007/gl_070801_02_e.asp.
and New Zealand Office of the Privacy Commissioner draft privacy breach guidelines, available at http://www.privacy.org.nz/privacy-breach-guidelines-2/.
[8] An organisation, as defined under the Privacy Act 1988, is
- (a) an individual, or;
- (b) a body corporate or;
- (c) a partnership or;
- (d) any other unincorporated association or;
- (e) a trust;
that is not a small business operator, a registered political party, an agency, a State or Territory authority or a prescribed instrumentality.
[9] Although the titles for NPP 3, NPP 4 and NPP 9 all refer to 'data' (being the 'Data quality', 'Data security' and 'Transborder data flows' principles respectively), this term tends not to be used in the substantive provisions of the Act. See Privacy Act 1988 (Cth), Schedule 3. The NPPs are available at http://www.privacy.gov.au/publications/npps01.html.
[10] See the 'security safeguards principle' in the Organisation for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980) available at http://www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_1_1_1,00.html.
The Privacy Act 1988 (Cth) was enacted to implement the OECD guidelines in Australia, as recognised in the preamble to the Act.
[11] For further information on coverage of the NPPs, see Information Sheet 12-2001 Coverage of and Exemptions from the Private Sector Provisions, available at http://www.privacy.gov.au/publications/IS12_01.html.
[12] The Office has provided further guidance on compliance with the information security principles elsewhere, available at
Guidelines to the Information Privacy Principles (principles 4-7) (for Australian and ACT Government agencies), available at
http://www.privacy.gov.au/government/guidelines/index.html.
Guidelines to the National Privacy Principles (for private sector organisations), available at
http://www.privacy.gov.au/publications/nppgl_01.html.
Information Sheet 6-2001: Security and personal information
Provides information for organisations on compliance with NPP 4 available at http://www.privacy.gov.au/publications/IS6_01.html.
[13] See the Office's Guidelines to the Information Privacy Principles (principles 4-7) for a brief overview of existing guidance on security standards for agencies, available at http://www.privacy.gov.au/government/guidelines/index.html.
[14] Information security obligations on agencies and organisations are outlined in the draft Voluntary Information Security Breach Notification Guide attached.
[15] See the 'openness principle' in the Organisation for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980), available at http://www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_1_1_1,00.html. This principle is reflected in NPP 5 and IPP 2 in the Privacy Act 1988 (Cth).
[16] See the Information Privacy Principles in section 14 and the National Privacy Principles in Schedule 3 of the Privacy Act. The IPPs are available at http://www.privacy.gov.au/publications/ipps.html. The NPPs are available at http://www.privacy.gov.au/publications/npps01.html.
[17] See sections 13 (agencies) and 13A (organisations) of the Privacy Act 1988 (Cth).