Insight Data Loss Policy – Incident Response Plan
Approval Date: March 2023
Review Date: February 2025
Review By: Directors
The policy applies to My Charity Raffle and InsightCFS which are businesses of Insight Holdings Consolidated Pty Ltd (ACN 111 803 475) See contact details below.
Update
Mandatory Ransomware Payment Reporting: Organizations such as Insight are now required to report any ransomware payments to the Department of Home Affairs and the Australian Signals Directorate within 72 hours of payment. https://www.cyber.gov.au/report-and-recover/report
Proposed Change
In September 2024, the Australian Government introduced the Privacy and Other Legislation Amendment Bill 2024, marking the first phase of comprehensive reforms to the Privacy Act 1988. Notable changes including Enhanced Penalties for Privacy Breaches: The Bill proposes increased penalties for serious or repeated privacy breaches, with fines up to the greater of A$50 million, three times the value of any benefit obtained through the misuse of information, or 30% of the company’s adjusted turnover.
This policy relates to InsightCFS’s sales, banking and data management operations and is intended to apply to relevant Insight suppliers and Insight clients.
The data covered in this policy will be affected by the types of loss or theft. This policy could cover:
• Accidental loss or removal of data by a staff member destroying a document or file.
• Deliberate removal with valid reason or explanation. Copying of information.
• Loss of data in transit through deletion or loss of services.
• Interference with insight’s storage of communication of data.
Data could include:
• Personal contact information
• telephone contact records
• Customer purchase information
• Customer payment information. Note that payment records are retained at Westpac and are not present in Insight’s servers.
Policy
This policy and methodology apply from 22 February 2018.
Insight requires its suppliers to follow this procedure and to assist Insight in responding to a loss of Insight data which a supplier may process.
The following clauses below have particular relevance to suppliers. 1. 2. 3. 9. 10. Relevant supplies are:
o Phone service providers
o Data storage providers
o ISP’s, Data hosts
o Clients
o Mail houses
o Contractors using or accessing Insight facilities
o The following are not included in this policy: Telecommunications service providers, Post service providers
Third party suppliers or clients which agree to follow this process are asked to sign a copy of this document and return it to Insight.
Procedure
1. What constitutes a data loss?
A data loss is the unintended loss (dispossession, ruination) of data from Insight’s control. Data is records or information which identifies a customer or contact or has value. Data loss includes a breach of security measures which could lead to loss. The cause, size or details of the loss are unimportant. All data breaches are to be dealt with under this policy.
A Data Loss may occur as a result of:
• Loss in transit by FTP or email or mail or other means
• Loss by lack of encryption allowing access by unknown persons
• Theft from data storage by hacking
• Theft from data storage by removal of data
• Deletion of data records
2. What actions should your staff take?
All data breaches must be reported to the General Manager of Insight immediately. Do not wait to investigate before notifying. Data losses may occur at any hour so all action under this policy must be taken at that time. The following staff are responsible for 24 hour monitoring of events and be available to respond as required: Senior Data Analyst and Administration Manager. Data losses are treated as confidential and not for public announcement until the extent and nature of the problem is understood and risks of unnecessary alarm are considered. Each loss must be assessed for immediate preventative action such as:
a. disconnection,
b. remedy faulty settings,
c. reinstatement of a service.
Those steps should be tested for the risk of further loss and the loss of evidence.
i. Do not access or alter compromised system(s)—i.e., don’t log on at all to the compromised system(s) and change passwords; do not log in as ROOT. To avoid losing critical data, it is highly recommended the compromised system not be used.
ii. Do not turn the compromised system(s) off. Instead, isolate compromised systems(s) from the network (i.e., unplug network cable).
iii. Preserve all evidence and logs—i.e., original evidence, security events, web, database, firewall, etc. Ensure the integrity of the evidence is not impacted by any tools used in the collection and analysis process.
iv. Document all actions taken, including dates and individuals involved.
3. All data losses must be investigated by a response team. The response team must attempt to determine what data was lost, when the loss occurred and how. If preventative action is recommended that must be implemented to prevent further loss provided the change is not permanent. Investigation may include clients and suppliers. The investigation must assess the number of persons impacted, the seriousness of the impact on those people and the value of useful of the data to others. The team should identify any secondary parties impacted because of the loss of the data. Significantly each investigation must address the definitions of serious data breach and Eligible Data Breaches. Investigation must include a report covering the items in this policy for the MD and for future reference.
4. Who is a member of the response team?
The response team would normally comprise the COO, IT Manager and Compliance Manager. The response team may include external suppliers.
The roles will follow these officers functions and are reporting to the Managing Director.
5. Response measures may include:
a. Preserve evidence.
b. Re-install the affected system(s) from scratch and restore data from backups if necessary. Preserve evidence before doing this.
c. Make users change passwords if passwords may have been sniffed.
d. Be sure the system has been hardened by turning off or uninstalling unused services.
e. Be sure the system is fully patched.
f. Be sure real time virus protection and intrusion detection is running.
g. Be sure the system is logging the correct events and to the proper level.
6. Is the event a data loss, a data breach or a serious data breach. The Privacy Amendment (Notifiable Data Breaches) Act 2017 says that a data breach is an unauthorised access or disclosure of personal information, or loss.
A serious data breach occurs if there is a real risk of serious harm to the individual to which the information relates which may include a customer (supporter, paying customer, subject of information), a client or Insight. Serious harm is a high threshold for the proposed mandatory data disclosure regime under the Privacy Act and relates to personal safety or loss of funds but may include stress or embarrassment. This policy recognises that serious harm needs to consider the loss which may occur to the clients of Insight if there is loss of faith in the campaigns and the campaigns processes including payment processing or marketing or the use of specific suppliers. “Eligible data breaches”. These are defined as data breaches, including data loss incidents, where a “reasonable person would conclude that [the breach] would be likely to result in serious harm to any of the [affected individuals]”. ‘Serious harm’ could include physical, psychological, emotional, economic and financial harm, as well as harm to reputation. The “serious harm” test does not require the harm to be suffered by all affected individuals – rather, this must be assessed on a case-by-case basis. The test is satisfied if any individual whose information has been breached would suffer the harm.
The event team is responsible for preparing a note of the suspected eligible breach which will cover:
• the identity of the organisation;
• the description of the eligible breach;
• the kind of information concerned;
• recommendations to the individuals affected as to steps to take in response to the breach; and
• preventative or ameliorating steps which can be taken and their time frame.
7. Who is responsible for notifying those affected where necessary or required?
Persons affected by the loss include clients, customers of clients (supporters), Insight and the appropriate regulator.
Under this policy, the Managing Director of Insight will determine if an eligible data breach has occurred, and if as a result of action taken to before serious harm occurs that loss, access or disclosure may be taken as not to have occurred. The Managing Director of Insight will consider the advice of the client and the response team and decide if the data loss is a serious data breach which requires reporting to any regulator or notification to a customer.
If an eligible data breach has occurred, the Privacy Commissioner must receive a copy of a statement (See section 26WK) and affected individuals must be notified as soon as practicable, with a notification containing certain prescribed information.