Breach of Security
In a seashell
-
PIPA introduces a duty on all organisations to report breaches of security leading to the loss or unlawful destruction or unauthorised disclosure of or access to personal information to the Commissioner without undue delay.
-
You must also inform those individuals without undue delay.
-
You should ensure you have robust breach detection, investigation, and internal reporting procedures in place.
-
You must also keep a record of any personal information breaches, regardless of whether you are required to notify.
Section 14, Breach of security, states that:
(1) In case of a breach of security leading to the loss or unlawful destruction or unauthorised disclosure of or access to personal information which is likely to adversely affect an individual, the organisation responsible for that personal information shall, without undue delay—
(a) notify the Commissioner of the breach; and
(b) then notify any individual affected by the breach.
(2) The notification to the Commissioner under subsection (1) shall describe—
(a) the nature of the breach;
(b) its likely consequences for that individual; and
(c) the measures taken and to be taken by the organisation to address the breach,
so that the Commissioner can determine whether to order the organisation to take further steps and for the Commissioner to maintain a record of the breach and the measures taken.
Preparing for a personal information breach: checklist
☐ We know how to recognise a breach of personal information.
☐ We understand that a breach of personal information isn’t only about loss or theft of personal information.
☐ We have prepared a response plan for addressing any breaches of personal information that occur.
☐ We have allocated responsibility for managing breaches to a dedicated person or team.
☐ Our staff know how to escalate a security incident to the appropriate person or team in our organisation to determine whether a breach has occurred.
Responding to a personal information breach: checklist
☐ We have in place a process to assess the likely risk to individuals as a result of a breach.
☐ We have a process to inform affected individuals about a breach when they are likely to be adversely affected.
☐ We know we must inform affected individuals without undue delay.
☐ We know who the regulator is.
☐ We have a process to notify the Commissioner of it without undue delay, even if we do not have all the details yet.
☐ We know what information we must give the Commissioner about a breach.
☐ We know what information about a breach we must provide to individuals, and that we should provide advice to help them protect themselves from its effects.
☐ We document all breaches, even if they don’t need to be reported.
Organisations ask
What information must we provide to individuals when informing them about a breach?
What breaches do we need to notify the Commissioner about?
What role do overseas third parties have?
How much time do we have to report a breach?
What information must a breach notification to the Commissioner contain?
Does PIPA require us to take any additional steps in response to a breach?
What else should we take into account?
What happens if we fail to notify the Commissioner of all notifiable breaches?
What is a personal information breach?
A personal information breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal information. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just losing personal information.
Personal information breaches can include:
-
access by an unauthorised third party;
-
deliberate or accidental action (or inaction) by an organisation or an overseas third party;
-
sending personal information to an incorrect recipient;
-
computing devices containing personal information being lost or stolen;
-
alteration of personal information without permission; and
-
loss of availability of personal information.
A personal information breach can be broadly defined as a security incident that has affected the confidentiality, integrity, or availability of personal information. In short, there will be a personal information breach whenever any personal information is accidentally lost, destroyed, corrupted, or disclosed; if someone accesses the information or passes it on without proper authorisation; or if the information is made unavailable and this unavailability has an adverse effect on individuals.
When do we need to tell individuals about a breach?
If a breach is likely to adversely affect an individual, PIPA says you must inform the Commissioner and those concerned directly and without undue delay. In other words, this should take place as soon as possible.
Scenario
A hospital suffers a breach that results in accidental disclosure of patient records. There is likely to be a significant impact on the affected individuals because of the sensitivity of the information and their confidential medical details becoming known to others. This is likely to result in an adverse effect, so they would need to be informed about the breach.
A university experiences a breach when a member of staff accidentally deletes a record of alumni contact details. The details are later re-created from a backup. This is unlikely to result in an adverse effect on those individuals. They don’t need to be informed about the breach.
If you decide not to notify the Commissioner or individuals, you will still need to document your analysis that demonstrates that the breach is unlikely to adversely affect individuals. You should also remember that the Commissioner has the power to compel you to inform affected individuals if we consider there is a high risk of harm to individuals. In any event, you should document your decision-making process in line with the requirements of the responsibility and compliance principle.
What information must we provide to individuals when informing them about a breach?
You need to describe, in clear and plain language, the nature of the personal information breach and, at least:
-
the name and contact details of any data privacy officer you have, or other contact point where more information can be obtained;
-
a description of the likely consequences of the personal information breach; and
-
a description of the measures taken or proposed to deal with the personal information breach and, where appropriate, a description of the measures taken to mitigate any possible adverse effects.
If possible, you should give specific and clear advice to individuals on the steps they can take to protect themselves, and what you are willing to do to help them. Depending on the circumstances, this may include such things as:
-
resetting a password;
-
advising individuals to use strong, unique passwords; and
-
telling them to look out for phishing emails or fraudulent activity on their accounts.
What breaches do we need to notify the Commissioner about?
When a personal information breach occurs, you need to establish the likelihood of an adverse effect on individuals. If a risk or harm is likely, you must notify the Commissioner; if a risk is unlikely, you don’t have to report it. However, if you decide you don’t need to report the breach, you need to be able to justify this decision, so you should document it.
What role do overseas third parties have?
If your organisation uses an overseas third party to process the personal information and they suffer a breach, it must inform you without undue delay as soon as it becomes aware of the breach. As an organisation, you are still responsible.
Scenario
Your law firm (organisation) contracts an IT services firm (overseas third party) to archive and store customer records. The IT firm detects an attack on its network that results in personal information about its clients being unlawfully accessed. As this is a personal information breach, the IT firm promptly notifies you that the breach has taken place. You notify the Commissioner, if reportable.
This requirement allows you to take steps to address the breach and meet your breach-reporting obligations under PIPA.
If you use an overseas third party, the requirements on breach reporting should be detailed in the contract between you and your overseas third party, as required under section 15(4) and section 15(5).
How much time do we have to report a breach?
You must report a notifiable breach to the Commissioner without undue delay. If you fail to do so, you must give reasons for the delay.
What information must a breach notification to the Commissioner contain?
When reporting a breach, under PIPA, you must describe:
-
the nature of the personal information breach;
-
the likely consequences for that individual; and
-
the measures taken, or to be taken by the organisation to address the personal information breach.
Scenario
Your organisation detects an intrusion into your network and becomes aware that access has been gained to files containing personal information, but you don’t know how the attacker gained entry, to what extent that information was accessed, or whether the attacker also copied the information from your system.
You notify the Commissioner of the breach without undue delay, explaining that you don’t yet have all the relevant details, but that you expect to have the results of your investigation within a few days. Once your investigation uncovers details about the incident, you give the Commissioner more information about the breach without delay.
Does PIPA require us to take any other steps in response to a breach?
You should ensure that you record all breaches. Section 14(2) requires you to document the facts regarding the breach, its effects, and the remedial action taken. This is part of your overall obligation to comply with the responsibility and compliance principle and allows us to verify your organisation’s compliance with its notification duties under PIPA.
As with any security incident, you should investigate whether or not the breach was a result of human error or a systemic issue and see how a recurrence can be prevented. Human error is the leading cause of reported personal information breaches. To reduce the risk, consider:
-
mandatory data protection and privacy induction and refresher training;
-
support and supervising until employees are proficient in their role;
-
updating measures, policies, and procedures for employees;
-
working to a principle of “check twice, send once”;
-
implementing a culture of trust – employees should feel able to report incidents of near misses;
-
investigating the root causes of breaches and near misses; and
-
protecting your employees and the personal information you are responsible for. This could include:
-
restricting access and auditing systems, or
-
implementing technical and organisational measures, e.g., disabling autofill.
-
As part of your breach management process, you should undertake a risk assessment and have an appropriate risk assessment matrix to help you manage breaches on a day-to-day basis. This will help you assess the impact of breaches and meet your reporting and recording requirements. This will provide a basis for your breach policy and help you demonstrate your accountability as an organisation.
What else should we take into account?
The following aren’t all PIPA requirements regarding breaches, but you should take them into account when you’ve experienced a breach.
As a result of a breach, an organisation may experience a higher volume of data protection and privacy requests or complaints, particularly in relation to access requests and erasure. You should have a contingency plan in place to deal with the possibility of this. It is important that you continue to deal with those requests and complaints, alongside any other work that has been generated as a result of the breach. You should also consider how you might manage the impact on individuals, including explaining how they may pursue compensation should the situation warrant it.
It is important to be aware that you may have additional notification obligations under other laws if you experience a personal information breach.
You may also need to consider notifying third parties such as the police, insurers, professional bodies, or bank or credit card companies who can help reduce the risk of financial loss to individuals.
What happens if we fail to notify the Commissioner of all notifiable breaches?
Failing to notify the Commissioner of a breach when required to do so is an offence.
In accordance with section 47(3), a person who commits an offence under subsection (1) or (2) is liable—on summary conviction, in the case of an individual, to a fine not exceeding $25,000 or to imprisonment not exceeding two years or to both; and on conviction on indictment, in the case of a person other than an individual, to a fine not exceeding $250,000.
It is important to make sure you have a robust breach-reporting process in place to ensure you detect and notify of breaches on time and to provide the necessary details, unless the personal information breach is unlikely to result in an adverse effect on individuals. If you decide you don’t need to report the breach, you need to be able to justify this decision, so you should document it.