Security Policies
      Back to home
      1. Help Centre
      2. Technical & Security
      3. Security Policies

      Data Breach Response Plan

      The response plan that FMI Works follows should any customer data be compromised either intentionally or unintentionally

      This article is for IT and security professionals

       

      This data breach response plan (the response plan) sets out procedures and clear lines of authority for FMI staff in the event that FMI experiences a data breach (or suspects that a data breach has occurred). A data breach occurs when personal information is lost or subjected to unauthorised access, modification, use or disclosure or other misuse. Data breaches can be caused or exacerbated by a variety of factors, affect different types of personal information and give rise to a range of actual or potential harms to individuals, agencies and organisations.


      This response plan is intended to enable FMI to contain, assess and respond to data breaches in a timely fashion, to help mitigate potential harm to affected individuals. It sets out contact details for the appropriate staff in the event of a data breach, clarifies the roles and responsibilities of staff, and documents processes to assist FMI to respond to a data breach.

      FMI experiences data breach/data breach suspected


      Discovered by FMI staff member, or FMI otherwise alerted

      FMI staff response

      Some data breaches may be comparatively minor, and able to be dealt with easily without action from the Data Breach Response Team (response team). For example, an FMI Staff member, as a result of human error, sends an email containing personal information to the wrong recipient. Depending on the sensitivity of the contents of the email, if the email can be recalled, or if the officer can contact the recipient and the recipient agrees to delete the email, it may be that there is no utility in escalating the issue to the response team.
      Managers should use their discretion in determining whether a data breach or suspected data breach requires escalation to the response team. In making that determination, FMI Managers consider the following questions:
      • Are multiple individuals affected by the breach or suspected breach?
      • Is there (or may there be) a real risk of serious harm to the affected individual(s)?
      • Does the breach or suspected breach indicate a systemic problem in FMI processes or procedures?
      • Could there be media or stakeholder attention as a result of the breach or suspected breach?
      If the answer to any of these questions is 'yes', then the issue is escalated to the response team.       
      • Immediately notify a member of the Data Breach Response Team (Line Manager, CTO, or COO) of the suspected data breach.
      • Record and advise the time and date the suspected breach was discovered, the type of information involved, the cause and extent of the breach, and the context of the affected information and the breach.

      FMI escalation response

      • Confirm whether a data breach has or may have occurred.
      • Determine whether the data breach is serious enough to escalate to the wider Data Breach Response Team (some breaches may be able to be dealt with by single response team members).
      • If necessary, immediately notify the remainder of the Data Breach Response Team.

      Minor priority breach process

      If a Manager decides not to escalate a minor data breach or suspected data breach to the response team for further action, the Manager will collect and document for the response team Coordinator the following information:

      • Description of the breach or suspected breach,
      • action taken by the Manager or response team officer to address the breach or suspected breach,
      • the outcome of that action, and
      • the Manager's view that no further action is required

      Escalated priority breach process       

      There is no single method of responding to a data breach. Data breaches must be dealt with on a case-by-case basis, by undertaking an assessment of the risks involved, and using that risk assessment to decide the appropriate course of action.       
      There are four key steps to consider when responding to a breach or suspected breach.
      1. Contain the breach and do a preliminary assessment
      2. Evaluate the risks associated with the breach
      3. Notification of affected parties
      4. Prevention of future breaches
      The response team will undertake steps 1, 2 and 3 simultaneously or in quick succession. Depending on the breach, not all steps may be necessary, or some steps may be combined. In some cases, it may be appropriate to take additional steps that are specific to the nature of the breach.

      Other Incident Responses

      Most incidents, issues and problems that occur during the operation of the FMI Works system do not trigger our reporting requirements.  For example, a DDoS attack on our servers that is automatically handled by our auto-detection system.  However, from time to time these incidents may be deemed noteworthy and will be reported to customers even though they don't trigger the above conditions.  The 2021 Log4J vulnerability - which didn't affect our systems - was important enough that we drafted a statement for customers.  These additional reports might be sent through e-mail or made public in our Security Updates section.