SchoolBookings - Data Breach Plan

This document sets out VIG's response to a data breach - the accidental or unlawful access, destruction or modification of company or user data.

All VIG personnel are trained to report any suspected or actual data breach to the Data Breach Coordinator (DBC), who is responsible for the execution of this plan.

Current DBC: Greg Fawcett dbc@vig.co.nz

Assessment

Target: Five minutes after breach notification

Evaluate available information to determine:

Is the danger likely to be real?
Is effective containment action possible?
Do VIG personnel need to be informed?

Containment

Target: One hour after breach notification

If containment is possible, it is the first priority. If not, move on to analysis.

Consider the following actions to prevent on-going harm:

Revoke individual authentication (change password).
Block IP addresses at firewall.
Disable vulnerable functions of the service.
Disable the entire service.

Containment is likely to disrupt services, so inform VIG personnel immediately.

Analysis

Target: Four hours after breach notification

Create a new data breach report document (DBRD) specific to this data breach. The DBRD must include all information about the breach and our response to it.
Gather and document evidence from:
- VIG personnel
- Users
- System logs
- Application logs
- Email accounts
- Vendors
Assess risk of danger to affected individuals and organisations as NO RISK, MINOR RISK or MAJOR RISK. Document how this assessment was reached in the DBRD.

Notification

Target: Four hours after breach notification

Make a communications plan with stakeholders, informing them of the breach, our assessment of the risk, what we're doing about it, and how often they can expect updates.

NO RISK stakeholders:
- All VIG personnel.
- The reporter of the data breach.
- A representative of the organisation the reporter belongs to.
MINOR RISK stakeholders:
- All VIG personnel.
- The reporter of the data breach.
- A representative of the organisation the reporter belongs to.
- A representative of each affected organisation.
MAJOR RISK stakeholders:
- All VIG personnel.
- The reporter of the data breach.
- A representative of the organisation the reporter belongs to.
- A representative of each affected organisation.
- Any affected government privacy authorities:
  - Australia: www.oaic.gov.au
  - Canada: www.priv.gc.ca/en/report-a-concern
  - New Zealand: www.privacy.org.nz
  - UK: ico.org.uk/make-a-complaint

Mitigation

Target: Seven days after breach notification

Complete the investigation of the data breach event, informing stakeholders of any progress. Document all findings in the DBRD.

Consider ways to reduce the risk of similar events, and implement them. These might include:

Updating services.
Updating policies and procedures.
Improving user education.
Improving staff training.

Review

The DBC will review the entire incident, including the effectiveness of this data breach plan. The plan will then be updated with any identified improvements.

The DBRD will be signed off and made available to all VIG personnel. Future DBCs will be required to read and discuss all DBRDs as part of their training.