When it comes to reporting a data breach, are you match fit?
With a shift in the way we respond to privacy breaches coming next March*. now is a great time, if you haven’t already, to reflect on your privacy processes and policies. What are your obligations and do you have the most robust privacy policies in place?
Based on the recommendations on New Zealand’s Privacy Act table, what do you need to do if your information is accessed maliciously, misused, unintentionally or deliberately shared; or a device is lost or stolen, and there is a privacy breach as a result? More specifically, who, what, when and why should you let people know?
Fundamentally, the law’s designed to protect your customers’ rights, dignity and reputation and to alleviate economic, emotional and physical harm.
Be careful about who you notify. Telling the wrong people by mistake can cause unintentional damage to both them and your brand. Only tell customers when you are sure that their information has been compromised and there is a risk of harm.
Consider the type of information you hold. Is it highly sensitive? For example, is it mental health or medical records, or disciplinary details? Would a leak of that information hurt someone’s reputation, relationships or job security? And even if it’s not deeply personal, consider if there is a risk of the holder of that information engaging in a criminal activity – say delivery instructions to “leave parcels round the back” or “there’s a key in the pot plant” might result in theft. Use your imagination and plan for the possible worst case scenario.
So, you’ve established that the privacy breach could cause harm. You must let your affected customers know as soon as possible after discovering the breach. However, if the police are involved, check with them first in case it impacts their investigation.
It’s best to let people know directly – either by phone, letter, email or in person. It’s more genuine and personal than a website or social media post, and it demonstrates that you are accountable and willing to put the work in to repair the relationship and, hopefully, regain their trust.
The Privacy Commissioner
If someone’s privacy has been breached you must also notify the NZ Privacy Commissioner as soon as possible after the date of becoming aware of the breach.
Even if the breach is unlikely to cause any harm to your customers, it’s sensible to let the Office of the Privacy Commissioner know because they can give you advice on what to do next. It gives you the opportunity to be open about it, demonstrate you take privacy seriously, and discuss what you’re doing to fix it.
You should consider letting credit card companies, financial institutions or credit reporting agencies know about the data breach, especially if the information is around bank account numbers, credit card details, next of kin, dates of birth and other unique identifiers.
Also think about the breach from an insurance perspective and get in touch with your insurers where needed.
Key suppliers and contractors
Do you have any third party suppliers where the leak of information will breach their confidentiality or affect their ability to do their job properly? Again, it’s about being open and proactive and thinking about how a breach of information will affect your working relationship.
If your key supplier or third party contractor is the one who has the direct relationship with the person whose data has been compromised then responsibility for notification falls on them.
Be aware that your international customers will fall under a different jurisdiction. The Office of the Australian Information Commissioner has a notifiable data breach form.
Customers affected and the Privacy Commissioner in Australia must be notified and the following information must be included:
· the identity and contact details of the organisation
· a description of the data breach
· the kinds of information concerned
· recommendations about the steps individuals should take in response to the data breach.
The European Union’s sweeping General Data Protection Regulation (GDPR) came into effect in May last year. Its all-encompassing impact extends far beyond Europe to include any company that has EU-based customers. It’s wise for us to take its rules into account when developing privacy policies, as data breaches could result in hefty fines and severe damage to your reputation.
In summary, the GDPR rules are around:
– Consent must be given to obtain and hold personal information.
– A specific purpose – Data must be collected and used for a purpose and only that purpose.
– Security –Data must be held in an accurate and secure way.
– Delete – Data must be destroyed once the specific purpose of use has expired.
Not sure whether to notify a breach?
The website for UK’s Information Commissioner’s office has a handy self-assessment for data breaches, to ascertain if you need to let them know.
Summary of key points:
1) There’s not one size fits all response to data breaches. Exercise your discretion and think about each incident on a case by case basis.
2) There is the potential to be an over sharer.
3) What type of information do you hold and does it have the potential to cause harm if it falls into the wrong hands?
4) Think about harm holistically – could it compromise someone’s mental health, dignity, job security, relationships, security of their home or assets?
5) Use your imagination and think laterally – it’s best to think about all possible scenarios. Plan for the worse case.
6) Consider if it’s a one-off breach or a systemic failure – this will help you contain the issue and prevent it happening again.
7) The Privacy Commissioner and its equivalents throughout the world have lots of great resources for you to brush up your knowledge on privacy rules and your responsibilities.
8) Most importantly, prevention is better than cure – think about how you collect, store, share and destroy information, and evaluate if you’re putting personal information at risk.
We can help
The IT Psychiatrist can design and develop best practice policies, processes and strategies around data collection, storage and sharing, so that you feel confident that your business is protected, compliant and ready for the upcoming changes to privacy law.
You may also need some more resources to get ready for the changes. We can be your dedicated part-time IT manager for as long as you need and connect you with a Virtual Privacy Officer.
If you want industry-leading and best practice IT policies, processes and strategies, or a part-time IT manager to help you get ready for the privacy changes, please give us a call.
*Changes to the act were due to come into effect on July 1, this has been pushed out till 2020