Privacy Commissioner Michael Webster outlines four steps every leader should be aware of, if your organisation suffers a privacy breach.
Privacy breaches are bad news but they’re also a chance to learn from and prevent further breaches. There are four steps every manager should know to reduce the harm to their business.
The first step is Contain. You need to find out what’s happened and take steps to stop the breach from getting worse.
Regardless of the size of the breach, time is crucial. Your duty is to do what you can, to safeguard what private information you hold.
This will help protect your customers, your staff, and your reputation. In some cases, you will need to consider legal action to protect information that has been breached. A good example of this was the injunction issued by the High Court to stop people sharing the data that was stolen in last year’s breach of Mercury IT.
The second step is Assess. You see what was accessed, and if you can, who accessed it. Once done, you should be able to tell what kind of harm occurred, how serious it is, and whether it is possible to recover the information.
Which leads into the third step, Notify. You must inform the Office of the Privacy Commissioner (OPC) of serious privacy breaches within 72 hours after becoming aware of them.
A simple way of deciding whether to notify us is, if it looks serious when you discover it, you should report it via the OPC NotifyUs tool.
If you’re unsure if it’s a serious breach, there is the option where you can tell OPC what you know so far and update us as it becomes clearer. We’re here to help and would rather have a conversation with you as soon as possible.
In most cases, you will also need to notify the people affected by the breach unless an exception applies, such as if notifying them would adversely affect that person’s mental health.
You can find out more about what is accepted as an exception in Section 116 of the Privacy Act. Incorrectly notifying the wrong people that their information has been breached may cause them unnecessary stress and harm, so you need to take care to get this right.
However, not notifying people that need to be told, may lead to them missing the chance to change passwords or undertake actions that could help them protect themselves.
It’s also the basis for making a complaint to our office if you didn’t notify an affected person and they were disadvantaged by not knowing about the breach.
You will need to be ready to work through who, and how, to notify people, and how to justify decisions not to notify individuals.
This may include calling in help if there are a lot of people affected by the breach and they have been affected in different ways, e.g. staff may be affected differently to customers depending on what type of information has been compromised. Using OPC website resources can help guide you on what you will need to do.
And finally, Prevent. This is a critical step for businesses to undertake.
Privacy breaches, whether through a malicious act, human error, or system malfunction, work to erode trust in businesses.
In surveys OPC has conducted, we have discovered that six out of 10 New Zealanders would be likely to change service providers if they heard their current provider had poor privacy practices.
Its paramount for businesses to learn from mistakes and ensure they’re working with high privacy standards.
When a breach happens, or if you see one reported in media, look at how the breach happened, and work to identify and fix any holes you may have that would allow it to happen to your business.
Ensure your policies and procedures are up to date and that your staff are aware of their responsibilities when it comes to the information you hold.
The OPC is available to provide advice and is happy to discuss any problems you may encounter. This can be done via
email at [email protected] or call 0800 803 909.