If your mobile loans officer’s laptop computer is stolen from the back of his car, do you know what information is stored on it?
How do you decide whether to tell members whose information was stored on the computer? What are your procedures for notifying your members that their personal information is at risk and that they might be subject to identity fraud? Who else should you notify (eg police, Privacy Commissioner, your insurer)?
The same questions could be asked in respect of a lost flash drive (memory stick) with your staff’s personal details, a stolen box with out of date credit reports or a CD left in an airport computer.
Whilst there is no mandatory data breach notification law in Australia yet, the Privacy Commissioner has issued a Voluntary Data Breach Notification Guide.
If you don’t yet have a policy on these issues, the Guide contains an excellent framework for decision making and good sample scenarios.