Code Green: Data Breach/Cyber Incident
A cyber incident/data breach places your organisation in crisis management mode.
In many cases these types of crises cannot be avoided however the steps taken in the aftermath of the incident can significantly reduce the impact the data breach/cyber incident has on your organisation.
What is a Data Breach?
- Any unauthorised access, modification, disclosure or other misuse or interference with personal information (including tax file number and/or other sensitive information)
- Loss of personal information (including tax file number, and/or other sensitive information) which is likely to result in unauthorised access, or disclosure
- Often a result of or related to a cyber-incident but data breaches come in all shapes and sizes
- In some cases, a cyber-incident may not lead to the compromise of (i.e. unauthorised access to) personal information, even if control of the organisation’s IT systems has been lost temporarily. In such an instance the organisation must determine whether to treat the incident as a full scale data breach or simply as an inadequate security practice requiring (immediate) rectification
First 24 hours
The initial period following a data breach/cyber incident is critical to restoring security, minimising harm, obtaining and preserving evidence, and complying with contractual and legal obligations.
- For any data breach/cyber incident immediately notify the ICT Service Desk on (03) 9479 1500
ext. 1500 and report:
- Breach or incident
- Impact to users
- Cause if known
- When it occurred or detected
Checklist - ICT and IRG
- Activate the IRG
- Establish a “privileged” reporting and communication channel
- Contain and stop additional data loss/breach
- Conduct severity assessment and including assessment of risk of serious harm – consider engagement of independent cyber security and forensic experts to carry out reasonable and prompt assessment of the circumstances
- Follow ICT change management procedures for all production systems
- Secure evidence and preserve audit logs
- Prepare rectification plan and change security access and passwords
- Notify Privacy Officer of any data privacy breaches firstname.lastname@example.org
- Interview personnel involved and determine your legal, contractual, insurance and other reporting obligations (including obligations to notify affected individuals)
- Consider possibly involving law enforcement, the Information Commissioner(s) and/or regulators
- Document the data breach and formalise reporting pursuant to the Breach and Incident Management Framework
- Activate a post-incident review of the data breach event
Checklist - Impacted Area
- Ignore the incident
- Probe computers and affected systems
- Turn off computers and affected systems
- Image or copy data or connect storage devices/media to affected systems
- Reconnect affected systems
The University is required by regulation to implement a cyber and eligible data breach response plan. For example, the Payment Card Industry Data Security Standard requires that all organisations that accept credit cards create and maintain an emergency response (and communication) plan for data breaches involving the loss of credit card data.
The Privacy Act 1988 (Cth) similarly requires the University to detect data breaches, evaluate the risks of serious harm to affected individuals, determine any additional or necessary actions required to rectify and mitigate the breach, and notify each affected individuals and or the Office of the Australian Information Commissioner of the breach. In assessing the severity of the breach all ‘Relevant Matters’ prescribed by the Privacy Act are to be considered, including remedial activities undertaken in containment of the breach.