In Short
- A data breach response plan outlines the steps your business will take if a data breach occurs, helping to minimise damage and meet legal obligations.
- It should be tailored to your business’s specific risks and include procedures for identifying, containing and reporting breaches.
- In New Zealand, if a breach is likely to cause serious harm, you must notify affected individuals and the Privacy Commissioner.
Tips for Businesses
Develop a clear, practical data breach response plan involving your privacy officer and IT team. Ensure all staff understand their roles in the event of a breach. Regularly review and update the plan to address new threats. Being prepared can reduce the impact of a breach and help maintain trust with customers and regulators.
Digitally storing your information has numerous benefits, including reduced physical space and ease of access. You can share your business’ information more efficiently and reach more customers faster. However, there are various security risks associated with operating online, and you need to accommodate those risks. If your business suffers a data breach, this can have disastrous consequences. Likewise, you may lose more than just information. With a data breach response plan, you can reduce some of the fallout. Therefore, this article will explain what a data breach response plan is and why your business may need one.
What Is a Data Breach?
The scope of a data breach can be quite broad, but generally, it can refer to a compromise in your business’ digital data, such as:
- unauthorised access to or misuse of your information systems;
- something preventing you from accessing your digital databases;
- accidental deletion or loss of your data;
- the release of your sensitive information into an unsecured area, such as the general internet; or
- unauthorised sharing of your business’ information.
The risk of data breaches at your business will vary according to your unique situation. Still, it is worthwhile to do a cyber security assessment to determine what risks you need to take into account. This task can also help you formulate a plan that meets your business’ needs.
What Is a Data Breach Response Plan?
As the name suggests, a data breach response plan details a plan for what you and your employees should do if a data breach does occur within your business. Your data breach response plan should reflect the security reality of your business. Likewise, it should be flexible enough to accommodate different kinds of data breaches.
You should develop your data breach response plan with your business’:
- privacy officer;
- IT expert; or
- other security officers within your business.
If you are unsure what your data breach response needs to be effective, consider engaging the help of an outside expert.
Commercial disputes are costly, stressful and can damage your business reputation. LegalVision’s free Guide to Resolving NZ Business Disputes can help.
Does My Business Need a Data Breach Response Plan?
Dealing with the aftermath of a data breach is always easier if you have an identifiable plan for these situations. Ideally, you should have enough preventative measures to reduce the likelihood and impact of a data breach. Indeed, your response plan should take this into account. Any business can be the victim of a data breach, and preparing beforehand can help you in the long run.
Furthermore, the effects of a data breach can be devastating, depending on the kind of sensitive information that it has compromised. This data can include:
- sensitive business information, such as account data;
- personal health information;
- personal information of customers and employees;
- intellectual property, such as trade secrets; or
- reputation-damaging information.
When dealing with sensitive information like this, you likely will have various legal obligations attached to how you handle it. This fact is crucial for both personal information and any information subject to contracts with business partners. As a result, you may have both privacy and contractual obligations you need to meet. Therefore, having a data breach response plan to show your care for these obligations when something goes wrong is vital.
What Should a Data Response Include?
The exact contents of your data response plan are up to you and will depend on the nature of your business. Importantly, ensure that it suits your business and includes solutions that you and your employees can realistically implement.
Some aspects to cover include plans or processes to:
- identify a potential data breach;
- determine an appropriate response;
- immediately contain and stop the spread of a breach;
- evaluate the effects of a breach;
- discover the cause of a breach;
- notify affected individuals; and
- improve security after a breach.
Importantly, ensure that your data breach response plan is easy for you and your staff to understand and access.
Key Takeaways
A data breach response plan sets out the steps you and your employees will take if your business is the victim of a data breach. You should cater your plan to the security realities of your business and ensure you meet any necessary legal obligations along the way.
If you need assistance with data breaches, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0800 447 119 or visit our membership page.
Frequently Asked Questions
A data breach response plan is a document or policy that details what you and your employees should do if your business suffers a data breach. Its exact nature should reflect your business’ security needs.
If your business deals with personal information, you may need to inform the Privacy Commission if the data breach is likely to cause serious harm. You may also need to inform business partners as part of your contractual obligations.
We appreciate your feedback – your submission has been successfully received.
