Data breaches can be caused or exacerbated by a variety of factors, involve different types of personal information, and give rise to a range of actual or potential harms to individuals and entities.
As such, there is no single way of responding to a data breach. Each breach will need to be dealt with on a case-by-case basis, with an understanding of the risks posed by a breach and the actions that would be most effective in reducing or removing these risks.
Generally, the actions taken following a data breach will follow the following four key steps:
Contain the data breach to prevent any further compromise of personal information.
Assess the data breach by gathering the facts and evaluating the risks, including potential harm to affected individuals and, where possible, taking action to remediate any risk of harm.
Notify individuals and the Commissioner if required. If the breach is an ‘eligible data breach’ under the NDB scheme, it may be mandatory for the entity to notify.
Review the incident and consider what actions can be taken to prevent future breaches.
At any time, we will take remedial action, where possible, to limit the impact of the breach on affected individuals. If remedial action is successful in preventing a likely risk of serious harm to individuals, the NDB scheme notification obligations may not apply.
The following diagram summarises our data breach response process.