A privacy breach will more than likely happen to your organisation and how you prepare for a breach matters. By Privacy Commissioner Michael Webster.
When it comes to keeping personal information safe, it’s far better to be over prepared and plan for the worst-case scenario than to take a ‘she’ll be right’ attitude, because the damage can be huge.
Having a breach management system, (a tested and integrated incident response plan) is crucial because it helps organisations respond appropriately when a serious breach occurs or can prevent a breach from becoming serious because of an unprepared response.
A good plan will enable you to respond quickly to a breach or incident, which can substantially decrease the impact on affected individuals, reduce the costs associated with dealing with a breach and reduce the reputational damage to your organisation.
The plan should:
- Outline your organisation’s plan for containing, assessing and managing the incident from start to finish.
- Include a clear description of roles and responsibilities.
- Include an audit function to ensure the plan is implemented and policies and procedures are reviewed regularly.
- Align with the organisation’s security plan, privacy policy requirements, and any general incident management policies or processes.
- Be informed by data on previous near misses and any privacy and/or security breaches.
- Be tested in a mock scenario. Practice and refinement of the plan is key to its success.
It’s also useful to examine the cause of the breach, so you look to remedy the issue.
“We find many of the privacy breaches reported as ‘human error’ have a root cause of an IT or business process system not being fit-for-purpose…”
Most serious privacy breaches reported to my office happen in the digital world. That includes things like bad actors and intentional or malicious activity, but it also includes a good dose of human error and bad systems.
My office is increasingly moving away from the phrase ‘human error,’ because it distracts the conversation from what really went wrong.
We find many of the privacy breaches reported as ‘human error’ have a root cause of an IT or business process system not being fit-for-purpose and people make mistakes when the systems don’t make it easy for them to do their work and they look for workarounds.
Organisations also make mistakes because they either don’t understand the value of privacy, or don’t care.
“The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company…”
In 2023, the UK Information Commissioner stated: “The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company.”
Employee browsing, when employees go through information that the organisation holds for their own purposes, is an example of a risk which can be mitigated.
It’s important you make sure your IT systems are set up so that staff only have access to what they need to do their job. Then audit those access settings to make sure they’re working, and to proactively identify any unauthorised access.
Sometimes privacy is as easy as just ensuring your IT systems are up to scratch and making sure you’ve thought about access, have got the permissions set correctly and have tested them.
No system is infallible. Working on your privacy breach plan will help make sure you’re well placed to act should a privacy breach occur and analysing what went wrong and why, can help you put steps in place to fix the issue.
