Comply Group has contracted a third-party Incident Response (IR) team to provide 24/7, 365 support in the instance of a data breach, or discovery of attempts by malicious actors to invoke a data breach.
Note: if you are unfamiliar with the cybersecurity process/protocols, read this first.
Many of Comply Group's customers have not utilised advanced technology that captures sensitive data at a large scale like this before.
If you're reading this article and cybersecurity is an entirely new concept for you, please call us on 1300 264 822 and we can walk you through what this means and how it relates to your organisation.
The scenario used to describe this protocol is a worst-case scenario and is (highly) unlikely to occur. Regardless, if it were to occur, we are prepared for it.
High-level process (for Australian data)
In the event a data breach has occurred, from a high-level perspective, the following protocol will be undertaken in a timely manner, and in compliance with regulations.
Comply Group will contact the Incident Response (IR) team for immediate support to verify the breach and remediate future occurrences.
The IR team will discover and verify the full and exact extent of the data breach, including impacted organisations, and types/classification of data impacted.
After positive verification of data loss, Comply Group will contact the national government regulator for privacy and freedom of information with the details.
Comply Group will share a custom breach notification detailing the extent of the breach as it pertains to each impacted organisation, and include communication recommendations and next steps from the national regulator.
In Australia, the national government regulator for privacy and freedom of information is the Office of the Australian Information Commissioner (OAIC). In our communications with the OAIC the following information will be provided/requested:
Provided: Full details of the extent of the data breach including organisations impacted, and a range of PII both in data types, volume, and impacted States/Territories.
Requested: Confirmation of next steps to take with regards to; contacting impacted individuals and notifying State information commissioners (e.g. OVIC).
High-level process (for non-Australia data)
Whilst the majority of Comply Group's customers are in Australia, we do have customers in countries all over the world. Here's a summary of how we operate our IR protocols in other jurisdictions around the world:
The above high-level process will be followed for each country or jurisdiction, with the OAIC and state-level information commissioners updated respectively.
In addition, for European organisations (containing EU citizen data), where an additional item will be added where the EU will be notified within 72 hours.
Until 31 December 2020, all UK citizens are protected under the GDPR, after which this advice will be updated to follow UK-only data breach protocols.
Other important points
Insurance. Comply Group uses CFC Lloyd’s Combined Technology Insurance product(s) for professional indemnity, public liability, and cyber event insurance.
Enterprise process. For enterprise customers, there is flexibility to collaboratively modify this process to meet specific requirements for your organisation.