Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Notifiable Data Breaches – Lessons from PageUp


Published on

Presentation by Samantha Chan from Macquarie University to ARDC's 'GDPR and NDB scheme: Intersection with the Australian research sector' webinar on 13 September 2018

Published in: Education
  • Be the first to comment

  • Be the first to like this

Notifiable Data Breaches – Lessons from PageUp

  1. 1. Notifiable Data Breaches – Lessons from PageUp MACQUARIE UNIVERSITY
  2. 2. Overview of the Notifiable Data Breach Scheme DVC / COO | RISK & ASSURANCE 2 Breach Unauthorised access, disclosure or loss of personal information that an entity holds 01 Un-remediated Has not been able to prevent the likely risk of serious harm with remedial action 03 Serious harm Likely to result in serious harm to one or more individuals 02 UNDER THE PRIVACY ACT, EFFECTIVE 22 FEBRUARY 2018 SERIOUS DATA BREACHES MUST BE REPORTED TO THE REGULATOR AND AFFECTED INDIVIDUALS. • Notification must occur ‘as soon as practicable’ once aware. • The University has 30 days to investigate and reach a view on whether the breach is notifiable.
  3. 3. MQ’s approach DVC / COO | RISK & ASSURANCE 3 WHILE MQ IS PRIMARILY GOVERNED BY THE NSW PRIVACY AND PERSONAL INFORMATION PROTECTION ACT, THE NDB SCHEME IS APPLICABLE TO THE CONTROLLED ENTITIES. CONSEQUENTLY MQ PROACTIVELY ADOPTED THE SCHEME ACROSS THE UNIVERSITY AND DEVELOPED A NDB RESPONSE PLAN AS A SUB-PLAN TO THE INCIDENT AND CRISIS MANAGEMENT FRAMEWORK First step Take immediate steps to limit the breach, this may include stopping the practice or shutting down systems that are breached. Notify relevant response teams per responsibilities. Second step Assess and validate whether the data breach is likely to result in serious harm to any of the individuals whose information was involved. As part of this assessment remedial action should be considered where necessary. Third step Notify individuals and the Commissioner if serious harm is likely. Fourth step Review the incident and consider what actions can be taken to prevent future breaches.
  4. 4. PageUp Breach DVC / COO | RISK & ASSURANCE 4 PAGEUP LIMITED, AN ONLINE RECRUITMENT SERVICES ORGANISATION EXPERIENCED A DATA BREACH WITH DOWNSTREAM EFFECTS TO THEIR CUSTOMERS First response PageUp Response MQ response Initial detection Malicious activity detected by PageUp on 23rd May Investigation Forensic investigation launched to understand extent of potential breach Notification Initial public notification on the 5th June Update Confirmation of details that had been potentially compromised through joint statement with OAIC on 18th June OAIC notification MQ notifies OAIC on 21st June Stakeholder notification 86,000 impacted individuals notified on 22nd June via email Response team Response team formed to respond to queries raised by 70 affected individuals Recovery Lessons learned conducted and recommendations implemented
  5. 5. Lessons learned DVC / COO | RISK & ASSURANCE 5 FOLLOWING THE BREACH WE IDENTIFIED AREAS WHERE OUR RESPONSE AND PROCESSES COULD BE IMPROVED Flexibility in response Communication is key Examine your contractual arrangements Use the available resources