The purpose of this procedure
To act in accordance with the Australian Privacy Act 1988
Definitions
Data breach means unauthorised access to, or unauthorised disclosure of, personal information or a loss of personal information. Examples of a data breach are when a device containing personal information is lost or stolen, an entity’s database containing personal information is hacked or an entity mistakenly provides personal information to the wrong person.
Notifiable data breach means a data breach that is likely to result in serious harm, which must be notified to affected individuals and the Office of the Australian Information Commissioner (OAIC).
Personal information means information or an opinion about an individual who is identified, or who can reasonably be identified, from the information, whether or not the information or opinion is true or recorded in a material form, and includes sensitive information; and
Sensitive information means information or an opinion that is also personal information about a person’s racial or ethnic origin, political opinions, memberships of political, professional and trade associations and unions, religious and philosophical beliefs, sexual orientation or practises, criminal history, health information, and genetic and biometric information.
Procedure
1. Preparation Phase:
1.1 Data Inventory and Risk Assessment:
Maintain an up-to-date inventory of all personal data stored in HubSpot, categorised by data type and sensitivity.
Conduct regular risk assessments to identify potential vulnerabilities and assess the impact of data breaches.
Representatives: Ravinder Kalvakuntla IT MANAGER
Responsibilities: Ensuring system security and compliance
Janine Thistlethwaite GENERAL MANAGER
Responsibilities: Ownership of data structure
1.2 Data Protection Officer (DPO) and Response Team:
Janine Thistlethwaite is appointed as Data Protection Officer or a responsible individual who will lead the breach response efforts. She will be assisted by Alastair Noble (Principal), Ravinder Kalvakunntla (IT), Anisimoff Legal, Cath Irvine (strategy and Comms).
1.3 Communication and Training:
Train employees on data protection policies, procedures, and breach response protocols.
Ensure employees know how to report potential breaches internally.
2. Detection and Assessment Phase:
2.1 Breach Identification:
Implement monitoring tools to detect unusual activities and potential breaches external to HubSpot, including any other systems containing PII.
2.2 Incident Assessment:
When a breach is suspected, the DPO and the response team should assess the situation to determine the nature and scope of the breach.
Identify the types of personal information affected and the potential impact on individuals.
2.3 Legal and Regulatory Requirements:
Determine whether the breach falls under mandatory reporting requirements of the Privacy Act 1988 and Notifiable Data Breaches scheme in Australia.
3. Containment and Eradication Phase:
Isolate and Quarantine:
If the breach is detected on a specific system or account, isolate and quarantine the affected system or account from the rest of your network. This prevents the breach from spreading to other parts of your infrastructure.
Change Credentials:
Reset passwords for all user accounts and admin roles associated with your HubSpot instance. Enforce usage of strong, unique passwords.
Multi-Factor Authentication (MFA):
Multi-factor authentication is currently sued for all user accounts in MPAs HubSpot instance. This is in line with all third-party vendors including Google Docs and Microsoft 365
Access Control Review:
Review and update access permissions for users. Limit access to senior senior nomnated management until risk is assessed and mitigated.
Patch and Update:
Ensure that HubSpot and any integrated systems are up to date with the latest security patches.
Scan for Malware and Backdoors:
Perform a thorough scan for malware, malicious scripts, or backdoors that may have been planted by the attacker.
Log Analysis:
Analyse access and activity logs in HubSpot to identify any suspicious or unauthorised actions. This can help you understand the extent of the breach.
Revoke Unnecessary Access:
Revoke access to any third-party integrations, plugins, or applications that are no longer necessary or are not approved.
Review API Access:
Review used APIs to connect with HubSpot, review and restrict unnecessary API access.
Audit Active Sessions:
Review active sessions in HubSpot and terminate any sessions that appear to be unauthorised.
Secure Configuration:
Review HubSpot's security settings and configurations to ensure they are set to the most secure options.
Engage HubSpot Support:
Contact HubSpot support to inform them about the breach. Follow instruction
Preserve Evidence:
Before making any changes, take screenshots or record logs that might be useful for forensic analysis or legal proceedings.
4. Notification and Reporting Phase:
4.1 Notify Affected Parties:
If the breach is likely to result in serious harm, notify affected individuals as soon as possible, providing clear information about the breach and its potential impact.
4.2 Notify Authorities:
If required by law, report the breach to the Office of the Australian Information Commissioner (OAIC) in compliance with the Notifiable Data Breaches scheme.
5. Communication and Public Relations:
5.1 Internal Communication:
Keep employees informed about the breach, its impact, and the steps being taken to address it.
5.2 External Communication:
Develop a clear and concise public statement that provides accurate information about the breach without disclosing unnecessary details.
Coordinate with legal and PR teams to ensure consistent messaging.
6. Post-Incident Review:
6.1 Incident Analysis:
Conduct a thorough review of the breach incident to identify lessons learned and areas for improvement.
6.2 Documentation:
Document the incident, response actions, and outcomes for future reference and audit purposes including all advice from HubSpot..
6.3 Continuous Improvement:
Use insights from the incident to enhance data protection measures, policies, and response procedures.