Westpac Banking Corporation Level 16, 275 Kent St Sydney NSW th January Mandatory Data Breach Notification

Transcription

1 Westpac Banking Corporation Level 16, 275 Kent St Sydney NSW th January 2018 Mandatory Data Breach Notification As you may be aware, on 13 February 2017 the Federal Parliament enacted the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) to incorporate mandatory data breach notification requirements into the Privacy Act 1988 (Cth). The new provisions come into effect on 22 February In response to these mandatory data breach notification requirements, Westpac has developed the attached Third Party Data Breach Notification Policy (the DBN Policy) which applies to service providers and other partners of the Westpac Group and takes effect from 22 February As you would be aware, Westpac requires our service providers and partners to comply with certain policies as part of good practice and their relationship with the Westpac Group. This requirement applies to the DBN Policy. This letter also constitutes formal notification of Westpac s requirement that your organisation complies with this policy for the purposes of each of your agreements with the Westpac Group in its locations and brands across Australia. For clarity, the DBN Policy does not in any way limit your obligations under your agreements with the Westpac Group in respect of privacy or data security. In the event that your organisation experiences or suspects a data breach that impacts (or may impact) any personal information provided to you by or on behalf Westpac, then in accordance with the DBN Policy, please notify your Westpac Business Contact immediately so that we can work together to manage our assessment and notification obligations. Please let us know if you have any concerns regarding your ability to comply with the DBN Policy within 10 business days. Yours sincerely, Jamie Kelly Chief Compliance Officer, Compliance, Legal & Secretariat

2 Third Party Data Breach Notification Policy. Date of Policy: 11 December 2017

3 Table of contents. 1. Purpose When does this Policy apply? Management of Notifiable Incidents Notification Remedial action Investigation and Reporting Assisting Westpac Prevention Implementation of this Policy Further information Definitions...7 Appendix A - Third Party Data Breach Notification Template....8 Third Party Data Breach Notification Policy. 11 December of 8

4 1. Purpose. The Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) incorporates mandatory data breach notification requirements into the Privacy Act 1988 (Cth). The new provisions come into effect on 22 February To help ensure Westpac is compliant with our obligations under the new requirements, and so that our third parties are clear about what we expect of them to support us in satisfying those obligations, Westpac has developed this Third Party Data Breach Notification Policy (the Policy). The Policy sets out Westpac s requirements for organisations in managing data breaches that impact Westpac Personal Information (as defined below). Most importantly, the aim of this Policy is to enable our respective organisations to: have open and prompt dialogue when suspecting, assessing and managing data breaches; work together to remediate and minimise the risk of harm to individuals whose personal information is impacted by data breaches; agree our notification responsibilities to the OAIC and affected individuals (especially if more than one organisation is affected by a notifiable data breach, we need to coordinate on notifications to the OAIC and affected individuals); and implement prevention plans to prevent data breaches from reoccurring. 2. When does this Policy apply? This Policy applies to suppliers, partners and other entities outside the Westpac Group who access or deal with Westpac Personal Information, on behalf of all Westpac locations and brands that are within our operational control and required to comply with the Privacy Act (referred to in this Policy as Third Party or Third Parties). In this Policy, any personal information provided to a Third Party by or on behalf of Westpac, or by a Westpac customer or employee to a Third Party, is referred to as Westpac Personal Information. A data breach occurs where there is unauthorised access to, or unauthorised disclosure or loss of, personal information. This Policy sets out five key steps for a Third Party to follow when it becomes aware or suspects that a data breach impacting Westpac Personal Information has occurred. Any data breach or suspected data breach of Westpac Personal Information is referred to in this Policy as a Notifiable Incident. For completeness, this Policy only applies to data breaches or suspected data breaches impacting Westpac Personal Information. However, Westpac continues to expect that Third Parties notify us immediately of all other data breaches that affect (or may affect) Westpac and/or your provision of products and services to Westpac. All defined terms are capitalised in this Policy. Please refer to Section 6 for Definitions. 3. Management of Notifiable Incidents. Notifiable Incidents are to be identified, notified, managed and remediated in accordance with this Policy. The five key steps for a Third Party to follow when managing Notifiable Incidents are set out below: Notification; Remediation; Investigation and Reporting; Assisting Westpac; and Prevention. Third Party Data Breach Notification Policy. 11 December of 8

5 Diagram A Management of Notifiable Incidents Notification Immediately notify the Westpac Business Contact of any unauthorised access to, or unauthorised disclosure or loss of, Westpac Personal Information. Provide the following details: nature and details of Notifiable Incident, possible impact of Notifiable Incident and preliminary actions and recommendations. Remediation Immediately after becoming aware of the data breach, take all necessary and appropriate action to: contain the Notifiable Incident and mitigate potential loss or interference with Westpac Personal Information; prevent harm to individuals as a result of the Notifiable Incident; and protect the information from any further misuse, loss, access, or disclosure. Take immediate remedial action. Immediately following notification, a Third Party will: Investigate & Report Appoint an incident manager and use an agreed communication process. Investigate and complete assessment of the Notifiable Incident within 3 calendar days. Provide Westpac with reasonable ongoing results of the investigation, assessment and recommendations. Assist Westpac Provide all reasonable assistance requested by Westpac in conducting Westpac s own investigation, assessment and management of the Notifiable Incident. Comply with Westpac s reasonable directions in connection with management of the Notifiable Incident. Prevention Provide to Westpac a final report specifying the root cause and corrective actions required. Implement prevention plans to prevent further similar incidents from occurring. 3.1 Notification. A Third Party will immediately notify its Westpac Business Contact as soon as it becomes aware of any grounds to believe or suspect that a Notifiable Incident has occurred using the Third Party Data Breach Incident Template in Appendix A. If a Third Party is unsure about whether to notify Westpac of an incident, the Westpac Business Contact needs to be notified as soon as practicable in order to have an open and prompt dialogue and if necessary, obtain further guidance. When notifying Westpac of any Notifiable Incident, Third Parties need to provide the following information (to the extent then known): Nature and details of the Notifiable Incident. the date of the Notifiable Incident; the date the Third Party detected or suspected the Notifiable Incident; description of the Notifiable Incident; the types of personal information affected (or suspected to be affected) and if not specifically known, explain the types of information that are held on the relevant system that may be affected; root cause of the Notifiable Incident (if known) e.g. malicious or criminal attack, system fault or human error or any control deficiencies or gaps; and whether the personal information affected is protected by one or more security measures, e.g. is it encrypted, anonymised or otherwise not easily accessible to unauthorised parties; Third Party Data Breach Notification Policy. 11 December of 8

6 3.1.2 Possible impact of Notifiable Incident. the number of individuals whose personal information is involved in the Notifiable Incident (if known); Preliminary actions and recommendations. any action taken by the Third Party to address the Notifiable Incident; any action taken to mitigate the harm an individual may suffer as a result of the Notifiable Incident; and recommendations for any actions that may or will be taken by the Third Party, Westpac and/or individuals who may be affected by the Notifiable Incident in order to mitigate its impact and prevent harm to affected individuals. 3.2 Remedial action. Immediately after becoming aware of the data breach or suspected data breach, a Third Party will: take all necessary and appropriate action to: contain the data breach e.g. stop the unauthorised practice or recover the records; mitigate potential loss or interference with Westpac Personal Information; prevent harm to individuals as a result of the breach; and protect the information from any further misuse, loss, access or disclosure; and take immediate remedial action to prevent the likelihood of harm occurring for any individuals whose personal information is involved in the data breach. This could include, but is not limited to, the following examples: Example 1: A data file, which includes the personal information of numerous individuals, is sent to an incorrect known recipient outside the organisation. The sender realises the error and contacts the recipient, who advises that the data file has not been accessed. The sender then advises the recipient that the file is not intended for them and confirms that the recipient has not copied, and has permanently deleted the data file (including, if necessary, by obtaining a Statutory Declaration from the recipient). Example 2: An employee leaves a smartphone on public transport while on their way to work. When the employee arrives at work they realise that the smartphone has been lost, and asks their employer s IT support staff to remotely delete the information on the smartphone. Because of the security measures on the smartphone and the fact that the deletion is actioned quickly, the IT support staff is confident that its contents could not have been accessed in the short period between when it was lost and when its contents were deleted. Example 3: An employee has left hard copies of documents containing Westpac customer Personal Information in a service provider s meeting room (and which the service provider would not otherwise have access to). The employee takes immediate action by contacting the service provider to put away the documents in a safe place until the employee returns to collect the documents. The supplier assures the employee that s/he has not accessed or disclosed the information while it was in his/her care. In this case, the employee considers the supplier s assurance to be credible and concludes unauthorised access or unauthorised disclosure has been adequately prevented from occurring. The employee may also take the additional step of requiring the service provider to provide a written certification to Westpac that they did not view, use or disclose the information while in their possession. Third Party Data Breach Notification Policy. 11 December of 8

7 3.3 Investigation and Reporting. Immediately following notification to Westpac under section 3.1, a Third Party will: appoint an incident manager to lead the initial assessment and be the primary contact point with Westpac concerning the Notifiable Incident; investigate and complete an assessment of the Notifiable Incident (to the extent then known), within three (3) calendar days, including the possible impact of the Notifiable Incident and the likelihood of harm to any individuals to whom the impacted information relates; identify and discuss with Westpac the steps available to contain the breach e.g. stop the unauthorised practice or recover records, and action any agreed steps as soon as practicable, and within the timeframe reasonably required by Westpac; assess whether further remedial steps can be taken to mitigate the harm an individual may suffer as a result of the Notifiable Incident; provide Westpac with reasonable ongoing updates on results of the investigation, assessment and recommendations provided in accordance with section 3.1 above and this section 3.3, at a frequency that reflects the severity of the Notifiable Incident, and until the remediation efforts are completed and the prevention plans (if applicable) implemented; and use agreed communication mechanisms or processes for providing those updates. 3.4 Assisting Westpac. Immediately following notification to Westpac under section 3.1, a Third Party will: provide all reasonable assistance requested by Westpac in conducting Westpac s own investigation and assessment of the Notifiable Incident; and comply with Westpac s reasonable directions in connection with management of the Notifiable Incident, including in relation to the prevention of future incidents. Additionally, a Third Party will: work with Westpac to determine whether the Notifiable Incident is likely to result in serious harm to affected individuals and therefore requires notification to the OAIC and affected individuals; allow Westpac to control the process of assessing and notifying affected individuals and the OAIC, and comply with Westpac s directions concerning those notifications if Westpac determines that notification is required; where together Westpac and the Third Party elect, for the Third Party to manage the notification process (for example, where the Third Party has the most direct relationship with affected individuals), consult with Westpac in a timely manner and comply with Westpac s reasonable directions in relation to the notification process; and consult with Westpac and take into account Westpac s reasonable considerations before issuing any notifications or statements to the OAIC and affected individuals, except to the extent that it would prevent a Third Party from complying with any laws (including privacy laws) and in which case, the Third Party will provide Westpac with copies of those notifications or statements as soon as practicable. 3.5 Prevention. Once: a Notifiable Incident is contained; risk of immediate harm is mitigated; and any required notifications to the OAIC and affected individuals are issued, a Third Party will: provide to Westpac a final report which specifies: the root cause of the Notifiable Incident; and the corrective actions to be undertaken to prevent a repeat occurrence of the Notifiable Incident, which will be specified in a prevention plan to Westpac s reasonable satisfaction. The prevention plan could include, for example, a security audit to identify required uplifts to physical and technical security; changes to policies and procedures to reflect lessons learned from the incident and investigation; review of employee selection and training practices; and review of the Third Party s service delivery partners; and implement the prevention plan. Third Party Data Breach Notification Policy. 11 December of 8

8 4. Implementation of this Policy. To enable Westpac to assess its ability to respond to Notifiable Incidents in accordance with its responsibilities, Westpac may undertake periodic reviews (at a reasonable frequency) to test and validate compliance. These reviews will predominantly focus on testing operational readiness and preparedness for responses to data breaches and mitigation strategies in place. They may incorporate screening, self-assessments, direct engagement with Third Parties, requests for supporting documents and data, external validation, and ongoing management and mitigation of material risks. 5. Further information. For further guidance on mandatory data breach notification under the Privacy Act, please refer to the Office of the Australian Information Commissioner s (OAIC) website: 6. Definitions. Term Notifiable Incident OAIC Privacy Act Third Party Westpac Westpac Business Contact Westpac Personal Information Description Any incident where a Third Party becomes aware of any grounds to believe or suspect that there has been unauthorised access to, or disclosure or loss of, Westpac Personal Information. Office of the Australian Information Commissioner Privacy Act 1998 (Cth) Third parties are suppliers, partners and other entities outside the Westpac Group who access or deal with Westpac Personal Information, on behalf of all Westpac locations and brands that are within our operational control and required to comply with the Privacy Act. Westpac Group or Westpac Banking Corporation and its subsidiaries or related bodies corporate including but not limited to Westpac Retail & Business Banking, St. George, Bank SA, Bank of Melbourne, BT Financial Group, RAMS Financial Group Pty Ltd, Westpac Institutional Banking and Westpac New Zealand. Any individual Westpac employee or contractor with whom a Third Party has a direct business relationship or is a Third Party s point of contact for Westpac-related matters. Personal information is defined under the Privacy Act to include any information or opinion, about an identified individual or an individual who can be reasonably identified from the information. The information will still be personal information whether it is true or not and regardless of whether there is a record of it. Personal information can be in any format. The definition is technology neutral and is not limited to information contained in records. Personal information might be contained in information that is shared verbally, captured digitally or recorded in writing. For example: A recording of a call containing an individual s voice may be that individual s personal information where the recorded person can be reasonably identified (e.g. when the recording is linked to the customer s file). Images of individuals in photographs or video will be personal information where the person s identity is clear or can be reasonably worked out from the image. The Westpac Group may provide Third Parties with, or Third Parties may otherwise obtain, the following types of personal information that may reasonably identify Westpac Group customers and/or employees: contact information (e.g. name, home address, phone number, address); financial details (e.g. credit information, credit card number, transaction information, etc.); government identifiers (e.g. Centrelink Reference Number, Medicare number); Tax File Number (TFN); date of birth; health or biometric information; and other sensitive information (such as sexual orientation, gender identity, racial or ethnic origin, criminal record, political opinions or religious views). In this Policy, all such personal information provided by or on behalf of the Westpac Group to Third Parties is referred to as Westpac Personal Information. Third Party Data Breach Notification Policy. 11 December of 8

9 Appendix A Third Party Data Breach Notification Template. Third Party Data Breach Notification Template Incident Reference Number Incident Name Incident Description (Please also include details of what types of personal information is affected (or suspected to be affected) and number of individuals that could be affected) Any Personal Information Security Measures (e.g. encrypted, anonymised, not easily accessible) Date Incident Occurred: Date Incident Detected: Incident Identified By: Incident Manager: Contact Details: Root Cause: (e.g. malicious or criminal attack, system fault or human error) Preliminary Actions: (e.g. any action taken to contain a data breach and/ or remedial action that prevents the likelihood of serious harm occurring for any individuals whose personal information is involved in the data breach) Recommendations: (e.g. recommendations for any actions that may be taken by the Third Party, Westpac and/or individuals who may be affected by the data breach in order to mitigate its impact) Disclaimer: This policy is current as at 11 December From time to time, we may make changes to our policy or policies, processes and systems in relation to how we handle data breaches. We will update this policy to reflect any changes. The information contained herein in relation to handling data breaches reflect Westpac policy requirements only and does not constitute, and should not be relied on as, legal or professional advice Westpac Banking Corporation ABN AFSL and Australian credit licence WBC Third Party Data Breach Notification Policy. 11 December of 8