Data breach response plan

This document (DBRP) describes the processes that the University will enact in response to an identified data breach.

This is the initial draft of the plan and will change as it receives feedback.

This document defines the University’s Data Breach Response Plan (DBRP). It describes the processes that the University will enact in response to an identified data breach. The plan is based on the Office of the Australian Information Commissioner’s guidance on Data breach preparation and their own Data Breach Response Plan and the Office of the Victorian Information Commisioner guidance document

Definitions

  • data breach - an incident where personal information that the University holds is subject to unauthorised access or disclosure, or is lost. This may be through system fault, malicious attack or human error.
  • personal information - includes contact (home address, email, phone number), financial (TFN, banking), identity (passport, licence), health and sensitive (religious, political, sexual) information on persons.
  • serious harm - may include serious physical, psychological, emotional, financial, or reputational harm. See the OAIC definition of Serious Harm for a list of ‘relevant matters’ that assist in determining this.
  • Cyber Incident Response Team (CIRT) - the team identified in the Incident Response plan to respond to Cyber Incidents, including a suspected Data Breach.

Process

The process for responding moves through 5 phases:

  1. Raise
  2. Contain
  3. Assess
  4. Notify
  5. Review

A potential breach can be discovered or reported through a variety of people - it could be a member of the IT or Student Services Team, a person from the OVC, the University, one of its vendors, one of its College’s staff, a student or member of the public.

1. Raise

If you become aware or are notified of a data breach record as much as possible of the following:

  1. the time and date
    • you are being informed
    • the suspected breach was discovered
    • the suspected breach occurred (if different to its discovery)
  2. the type of personal information involved (staff, student, academic, research, etc)
  3. the
    • mechanism (email, URL, hack, etc)
    • cause (if immediately known - human error, system fault, malicious)
    • extent of the breach (how many names or records), and
    • the context of the affected information and the breach (OVC, college, vendor, etc).

Then immediately notify the IT Manager.

2. Contain

Once a Data Breach form has been received the CIRT will then:

  1. Understand the nature of the suspected breach from (a) the report given, and if necessary, (b) their own initial diagnostic work

  2. Be able to answer the following key questions:

    1. Is it clear as to how the data breach occurred?
    2. Is the personal information still being disclosed, shared, or lost without authorisation?
    3. Who had/has access to the personal information?
    4. What can be done to secure the information, or stop the unauthorised access or disclosure, and reduce the risk of harm to affected individuals?
  3. Act to contain the breach. Depending on the nature of the breach, this may look like:

    • Contacting email recipients asking them to delete the email
    • Changing the configuration of a server or service
    • Asking a website owner to remove or hide page
    • Writing, testing, and deploying a bugfix
    • Contacting a vendor requesting a configuration or code change
  4. Produce an initial breach report:

    • as to whether a data breach has or may have occurred
    • an estimate of the seriousness of the data breach or suspected data breach.
    • if one has occurred - steps taken to contain the breach and their result(s)
    • suggested further steps to take to contain the breach
    • any additional action(s)

The seriousness relates to the risk: the type(s) of information, the number of individuals impacted and who had/has access to the information. The type of information is listed under Definitions in increasing likely significance, though that may not automatically be the case.

This report should be produced within two hours of the data breach being raised. The Vice-Chancellor is to then be notified of the breach and sent the report.

3. Assess

The Raise a data breach form submission and the initial report are then assessed to

  • evaluate the risks, including potential harm to affected individuals and,
  • where possible, take action to remediate any risk of harm.

A more detailed assessment report is then written. This will collate and present the following:

  • the date, time, duration, and location of the breach
  • the type(s) of personal information involved in the breach
  • how the breach was discovered and by whom
  • the cause and extent of the breach
  • a list of the affected individuals, or possible affected individuals
  • the risk of serious harm to the affected individuals
  • the risk of other harms.

This assessment is to be reported to the University’s Management and Senior Leadership Teams.

The timeline for assessment is within 30 calendar days after the day the entity became aware of the grounds (or information) that caused it to suspect an eligible data breach.

4. Notify

In this phase the question of ‘who needs to be notified?’ are addressed.

  • Determine if other organisations need to be made aware of the breach at this preliminary stage

    • the Australian Cyber Security Centre (ACSC), police/law enforcement, or
    • other agencies or organisations that:
      • may be affected by the breach, or
      • can assist in containing the breach, or
      • can assist individuals affected by breach, or
    • where the University is contractually required or required under the terms of an MOU or similar obligation to notify specific parties.
  • Determine whether and how to notify affected individuals.

  • Determine whether to escalate the data breach to the response team.

  • Convene the response team, if necessary.

  • Determine whether the breach has a Business Impact Level (BIL) of 2 or higher

  • Notify OVIC of the breach if necessary

  • Determine whether the breach is an eligible data breach under the NDB scheme.

  • Notify the AIC of the NDB, if necessary (see below)

Notifiable Data Breach (NDB)

The University is an Entity covered by the NDB scheme as

  1. we have an annual turnover of more than AU$3 million
  2. we are a TFN recipient (in the case of student data)

If there are reasonable grounds to believe an eligible data breach has occurred, the OAIC must promptly notify any individual at risk of serious harm and notify the AIC using the NDB form on the OAIC’s website.

An eligible data breach occurs when the following criteria are met:

  1. There is unauthorised access to or disclosure of personal information held by an organisation or agency (or information is lost in circumstances where unauthorised access or disclosure is likely to occur). I.e. a breach has been confirmed by step 3 (Assess).
  2. This is likely to result in serious harm to any of the individuals to whom the information relates.
  3. The organisation or agency has been unable to prevent the likely risk of serious harm with remedial action.

If this is the case, affected individuals must be notifed.

There are three options for notification. We can

  1. Notify all individuals
  2. Notify only those at risk of serious harm
  3. If the above are not practicable, publish a statement on the website and publicise it

Internal Communication

External Communication

The notification should include, as appropriate:

  • A description of the data breach including when it occurred;
  • A description of the personal information involved in the breach;
  • The steps the University has taken, or is taking, to contain the incident and minimise any potential harm arising from the incident;
  • The steps the affected individuals can take to reduce or avoid the risk of harm;
  • Contact information of an individual or a department within your organisation that affected individuals can speak to about the incident; and
  • The OVIC contact information and advice that affected individuals have a right of complaint to OVIC if they are not satisfied with the organisation’s response to their direct complaint.

5. Review

The review part of this process aims to help (1) prevent further data breaches in the source system or process and more broadly, and (2) improve the University’s response to future breaches.

  • Implement a strategy to identify and address any weaknesses in data handling by the University or one of its Colleges that contributed to the breach(es).
  • Conduct a post-breach review and report to Management Team, Senior Leadership Team, and the Executive on outcomes and recommendations.
  • Establish a system for a post-breach assessment of your entity’s response to the data breach and the effectiveness of your data breach response plan

A Vendor has a data breach

Jointly held information

Regarding a breach of a vendor,“an eligible data breach of one entity will also be considered an eligible data breach of other entities that hold the affected information”.

And “the entity with the most direct relationship with the individuals at risk of serious harm may be best placed to notify. This will allow individuals to better understand the notification, and how the eligible data breach might affect them.”

Therefore, a vendor may conduct the investigation and report this to the University, but it would be the University who notifies, for example, impacted students of the breach.

Questions for the vendor

  • What type of information was exposed?
  • What impact will this have on their organisation?
  • What impact (if any) will the breach have on public safety or services?
  • What volume of records/data was exposed?
  • Was it a misconfiguration/error, or was it a malicious exfiltration or theft of data identified?
  • Has it been/will it be reported to the Office of the Australian Information Commissioner (OAIC)?
  • Is it considered to be a Notifiable Data Breach (NDB)?
Last modified December 10, 2024: merge updated UMS help video links (b6521ae)