Swanned Pty Ltd Data breach response Plan

Contents

• Introduction
• Scope
• Purpose
• What is a data breach
• Responding to a data breach
• Data breach response plan
• Data breach response team

1. Introduction

This Data Breach Response Plan (Response Plan) sets out the procedure to be followed by Swanned Pty Ltd staff in the event that Swanned Pty Ltd experiences a data breach, or suspects that a data breach has occurred.

A data breach occurs when personal information (defined in section 6 of the Privacy Act 1988 (Cth)) is lost or subjected to unauthorised access, modification, use or disclosure or other misuse. Personal information refers to information that identifies or reasonably identifies an individual.

This policy sets out Swanned’s Pty Ltd procedures for managing a data breach, including the considerations around notifying persons whose privacy may be affected by the breach. Effective breach management, including notification where warranted, assists Swanned Pty Ltd in avoiding or reducing possible harm to both the affected individuals/organisations and the Swanned Pty Ltd and may prevent future breaches.

2. Scope

This policy applies to all staff and contractors of Swanned Pty Ltd . This includes temporary and casual staff, private contractors and consultants engaged by the IPC to perform the role of a public official. This policy will apply from the date of effect.

3. Purpose

The purpose of this policy is to provide guidance to Swanned Pty Ltd in responding to a breach of Swanned Pty Ltd held data, especially personal information.

Adherence with the Response Plan will ensure Swanned Pty Ltd can contain, assess and respond to data breaches in a timely fashion in order to mitigate potential harm to affected persons.

This plan:

• sets out the roles and responsibilities of staff;
• sets out the contact details of appropriate staff in the event of a data breach; and
• outlines the procedure to be followed in the event of a data breach.

Effective breach management, including notification where warranted, assists Swanned Pty Ltd in avoiding or reducing possible harm to both the affected individuals/organisations and Swanned Pty Ltd and may prevent future breaches.

4. What is a data breach?

A data breach

A data breach occurs when there is a failure that has caused or has the potential to cause unauthorised access to Swanned Pty Ltd data, such as:

• Unauthorised use, access to or modification of data or information systems (e.g. sharing of user login details (deliberately or accidentally) to gain unauthorised access or make unauthorised changes to data or information systems)
• Unauthorised disclosure of classified material or personal information (e.g. communications sent to an incorrect recipient or document posted to an incorrect address or addressee)
• Compromised user account (e.g. accidental disclosure of user login details through phishing)
• Failed or successful attempts to gain unauthorised access to Swanned Pty Ltd information or information systems
• Equipment failure
• Malware infection
• Disruption to or denial of IT services

A data breach most commonly, but not exclusively, results in unauthorised access to, or the unauthorised collection, use, or disclosure of personal information.

Responding to a data breach

There are four key steps required in responding to a data breach:

• Contain the breach
• Evaluate the associated risks
• Consider notifying affected individuals
• Prevent a repeat.

Each step is set out in further detail below. The first three steps should be carried out concurrently where possible. The last step provides recommendations for longer-term solutions and prevention strategies.

Step 1: Contain the data breach to prevent any further compromise of personal information.

Containing the breach is prioritised by Swanned Pty Ltd. All necessary steps possible must be taken to contain the breach and minimise any resulting damage. For example, attempt to recover the personal information, shut down the system that has been breached, suspend the activity that led to the breach, revoke or change access codes or passwords.

If a third party is in possession of the data and declines to return it, it may be necessary for Swanned Pty Ltd to seek legal or other advice on what action can be taken to recover the data. When recovering data, Swaned will make sure that copies have not been made by a third party or, if they have, that all copies are recovered.

Step 2: Evaluate the data breach by gathering the facts and evaluating the risks

To determine what other steps are needed, an assessment of the type of data involved in the breach and the risks associated with the breach will be undertaken.

Some types of data are more likely to cause harm if it is compromised. For example, personal information, location data, login information, images, conversations, names and email addresses.

Factors to consider include:

• What information has been affected? Swanned’s Pty Ltd assessment will include reviewing what personal information or data has been involved in the breach.
• Who is affected by the breach? Swanned’s Pty Ltd assessment will include reviewing whether individuals have been affected by the breach, how many individuals have been affected and whether any of the individuals have personal circumstances which may put them at particular risk of harm.
• What was the cause of the breach? Swanned’s Pty Ltd assessment will include reviewing whether the breach occurred as part of a targeted attack or through inadvertent oversight. Was it a one-off incident, has it occurred previously, or does it expose a more systemic vulnerability? What steps have been taken to contain the breach? Has the data or personal information been recovered? Is the data or personal information encrypted or otherwise not readily accessible?
• What is the foreseeable harm to the affected individuals/organisations? Swanned’s Pty Ltd assessment will include reviewing what possible use there is for the data or personal information. This involves considering the type of data in issue - if could it be used for identity theft, or lead to threats to physical safety, financial loss, or damage to reputation.
• Who is in receipt of the data? What is the risk of further access, use or disclosure, including via media or online?

Step 3: Notify individuals and the Commissioner if required.

Swanned Pty Ltd recognises that notification to individuals/organisations affected by a data breach can assist in mitigating any damage for those affected individuals/organisations.

Swanned Pty Ltd will also have regard to the impact upon individuals in recognition of the need to balance the harm and distress caused through notification against the potential harm that may result from the breach. There are occasions where notification can be counterproductive. For example, information collected may be less sensitive and notifying individuals about a privacy breach which is unlikely to result in an adverse outcome for the individual may cause unnecessary anxiety and de-sensitise individuals to a significant privacy breach.

Factors Swanned Pty Ltd will consider when deciding whether notification is appropriate include:

• Are there any applicable legislative provisions or contractual obligations that require Swanned Pty Ltd to notify affected individuals?
• What type of information is involved?
• What is the risk of harm to the individual/organisation?
• Is this a repeated and/or systemic issue?
• What risks are presented by the mode of the breach e.g. is it encrypted information or contained in a less secure platform e.g. email?
• What steps has Swanned Pty Ltd taken to date to avoid or remedy any actual or potential harm?
• What is the ability of the individual/organisation to take further steps to avoid or remedy harm?
• Even if the individual/organisation would not be able to take steps to rectify the situation, is the information that has been compromised sensitive, or likely to cause humiliation or embarrassment for the individual/organisation?

Notification should be done promptly to help to avoid or lessen the damage by enabling the individual/organisation to take steps to protect themselves.

The method of notifying affected individuals/organisations will depend in large part on the type and scale of the breach, as well as immediately practical issues such as having contact details for the affected individuals/organisations. Considerations include the following.

When to notify

In general, individuals/organisations affected by the breach should be notified as soon as practicable. Circumstances where it may be appropriate to delay notification include where notification would compromise an investigation into the cause of the breach or reveal a software vulnerability.

How to notify

Affected individuals/organisations should be notified directly – by telephone, email or within the app.

Indirect notification – such as information posted on the Swanned’s Pty Ltd website, a public notice in a newspaper, or a media release – should generally only occur where the contact information of affected individuals/organisations are unknown, or where direct notification is prohibitively expensive or could cause further harm.

What to say

The notification advice will be tailored to the circumstances of the particular breach.

Content of a notification could include:

• information about the breach, including when it happened
• a description of what data or personal information has been disclosed
• assurances (as appropriate) about what data has not been disclosed
• what Swanned Pty Ltd is doing to control or reduce the harm
• what steps the person/organisation can take to further protect themselves and what Swanned Pty Ltd will do to assist people with this
• contact details for Swanned Pty Ltd for questions or requests for information
• the right to lodge a privacy complaint with the Privacy Commissioner.

It may also be appropriate to notify other third parties, such as:

• The OAIC.
• The Police.
• Insurance providers.
• Credit card companies, financial institutions.
• Professional or other regulatory bodies.
• Other internal or external parties who have not already been notified.
• Agencies that have a direct relationship with the information lost/stolen.

The OAIC strongly encourages agencies to report serious data breaches involving personal information. The following factors should be considered in deciding whether to report a breach to the OAIC:

• any applicable legislation that may require notification;
• the type of personal information involved and whether there is a real risk of serious harm arising from the breach;
• whether a large number of people were affected by the breach;
• whether the information was fully recovered without further disclosure;
• whether the affected individuals have been notified; and f if there is a reasonable expectation that the OAIC may receive complaints/inquiries about the breach.

Step 4: Review the incident and consider what actions can be taken to prevent future breaches.

Swanned Pty Ltd will further investigate the circumstances of the breach to determine all relevant causes and consider what short or long-term measures could be taken to prevent any recurrence.

Preventative actions could include a:

• Security audit of all involved systems
• Review of policies and procedures
• Review of staff/contractor training practices; or
• Review of contractual obligations with contracted service providers

Notifying the Privacy Commissioner

As a matter of good practice, Swanned’s Pty Ltd Director will notify the NSW Privacy Commissioner of a data breach where personal information has been disclosed and there are risks to the privacy of individuals. In doing so Swanned Pty Ltd will ensure that relevant evidence is contained securely for access by the Privacy Commissioner should regulatory action be considered appropriate. Such notification will:

• demonstrate to the affected individuals and broader public that Swanned Pty Ltd views the protection of personal information as an important and serious matter and may therefore maintain public confidence in Swanned.Pty Ltd
• facilitate full, timely and effective handling of any complaints made to the Privacy Commissioner in regard to the breach and thus assist those whose privacy has been breached.

Notification should contain similar content to that provided to individuals/organisations. The personal information about the affected individuals is not required. It may be appropriate to include:

• a description of the breach
• the type of personal information involved in the breach
• what response Swanned Pty Ltd has made to the breach
• what assistance has been offered to affected individuals
• the name and contact details of the appropriate contact person, and
• whether the breach has been notified to other external contact(s).

Template response

Dear [name]

I am writing to you with important information about a recent data breach involving your personal information / information about your organisation. The Information and Privacy Commission became aware of this breach on [date].

The breach occurred on or about [date] and occurred as follows:

(Describe the event, including, as applicable, the following):

• A brief description of what happened.
• Description of the data that was inappropriately accessed, collected, used or disclosed.
• Risk(s) to the individual/organisation caused by the breach.
• Steps the individual/organisation should take to protect themselves from potential harm from the breach.
• A brief description of what Swanned Pty Ltd is doing to investigate the breach, control or mitigate harm to individuals/organisations and to protect against further breaches.

Please call me with any questions or concerns you may have about the data breach.

We have established a section on our website [insert link] with updated information and links to resources that offer information about this data breach.

We take our role in safeguarding your data and using it in an appropriate manner very seriously.

Please be assured that we are doing everything we can to rectify the situation.

Please note that under the [PPIP Act / HRIP Act / GIPA Act] you are entitled to register a complaint with the NSW Privacy Commissioner or NSW Information Commissioner/CEO with regard to this breach. Complaints may be forwarded to the following:

[insert details]

Should you have any questions regarding this notice or if you would like more information, please do not hesitate to contact me.

Should you have any questions regarding this notice or if you would like more information, please do not hesitate to contact me.

Yours sincerely,

[Insert applicable name and contact information]

Template report and Action

Description of data breach	Action taken
When What How	Notification Containment
Description of Risks	Action Proposed
Risk Harm Affecting
Description of Causes	Action Proposed
How why	Change Train Remind Review Stop Media Remedy
Notification to the NSW Privacy Commissioner

IF A DATA BREACH OCCURS

Step 1	Contain the breach - Take immediate steps to contain - Designate person to coordinate response
Step 2	Evaluate the risks - Consider what information is involved - Determine the context of the information - Establish cause and extent - Identify the risk
Step 3	Consider breach notification - Do a risk analysis on a case by case basis - Not all breaches warrant a notification
Step 4	Review the incident and take action to prevent further breaches - Fully investigate cause - Develop prevention plan - Audit the plan - Update data breach response oan - Make changes to policies - Revise staff training

Contact Persons

The response team includes

IT	Pratik Kayastha Head of technology Email: support@getswanned.com
Marketing	Natalie Smith Head of Marketing Email: natalie@getswanned.com
Finance	Isla Cameron Head of Finance Email: admin@getswanned.com
Customer Service	Natalie Smith Head of Marketing Email: marketing@getswanned.com

References

This Data Breach Response Plan has been developed in accordance with and with reference to the OAIC’s Data breach notification: a guide to handling information security breaches (The Guide).

https://www.oaic.gov.au/privacy/guidance-and-advice/data-breach-preparation-and-response/part-1-data-breaches-and-the-australian-privacy-act/#what-is-a-data-breach

In the event of a data breach, the Response Team should reference the Guide as it provides further detail that may be of assistance to the Response Team.

Other References:

Part 7-1 Privacy Act 1988 (Cth)

Version 1:1

Date of effect: September 2021