Last week the Office of the Australian Information Commissioner released a new Guide to developing a data breach response plan.  Given that the two enforceable undertakings that have been given to date to the Commissioner in relation to privacy breaches have both concerned breaches that were not discovered by the relevant company and not dealt with on a timely basis, it is unsurprising that there is a need to issue an updated guide.

The guide is short, only 9 pages and has a valuable check-list of issues at page 8.  It also helpfully cross-references to the Commissioner's Data breach notification guide: A guide to handling personal information security breaches.  While the data breach notification guide deals with the substantive steps to be taken once a breach is discovered, the Guide to developing a data breach response plan considers the way in which organisations can plan to better manage such circumstances including ensuring they have a breach response team who understand their roles and have clear reporting lines.

Organisations who have experienced a data breach will be aware that the need for swift and clear action means planning in advance is a high priority.  Where executives across a range of responsibilities understand their respective roles and can co-ordinate clearly then all of the issues relating to dealing with the breach and minimising the harm can be dealt with in a timely basis.

There is an old saying "a stitch in time saves nine".  Spending some time now to determine a response plan and addressing each of the issues raised in the Commissioner's check-list will be invaluable in the event of a breach.

The statistics that are released year on year by the relevant surveys indicate the likelihood of a breach is not a question of "if" but a question of "when".

Holding Redlich has experience assisting companies in dealing with breaches, notifying affected individuals, reviewing systems to contain the breach to prevent future breaches and to improve the range of security responses an organisation has in such situations.

If you have any concerns about your organisation's ability to respond, we would be happy to work through the check-list with you.

The Guides can be accessed here:

Consultation draft: Guide to developing a data breach response plan

Data breach notification — A guide to handling personal information security breaches

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.