WHAT IS A DATA BREACH?
A data breach occurs when consumer and employee information, financial information, supplier information, classified information, and basic personal information such as full names are leaked.
Data breaches are not limited to hacking, but can arise from internet malfunctions, human error, and failing to follow information handling policies
WHO SHOULD HAVE A DATA BREACH POLICY?
In accordance with the Privacy Act 1988 (Cth), companies who hold personal, confidential information about employees, clients, and suppliers, should have a data breach policy.
Data breach policies ensure that the appropriate measures are in place to respond to any actual or suspected data breach and ensure compliance with the relevant legislative framework under the Privacy Act.
OVERRIDING PRINCIPLES OF DATA BREACH POLICIES:
- Data should be protected and breaches contained.
- All data breaches, actual or suspected, no matter how minor, must be reported. Immediacy is paramount.
EXAMPLES OF A DATA BREACH:
- When an unauthorised third party maliciously accesses a company’s systems
- When an email is accidentally sent to the wrong recipient
- Abuse of electronic access privileges by staff
- The sharing of confidential client information with an unauthorised third party, regardless of how sensitive.
- The publishing of confidential material on social media, or the internet in general.
WHAT CAUSES A DATA BREACH?
A data breach can be caused by a variety of factors. When minor security measures such as frequent password changes, are forgotten about, this can give rise to a data breach.
Without a data breach policy, a company may not be equipped to adequately protect their clients and employees from the consequences of a data breach.