| What was the source of the information? |
| Was the subject information sourced from customers/ clients or other third parties? |
Yes |
No |
| Was the subject information created by the organisation and capable of being described as a trade secret or confidential? |
Yes |
No |
| Was the subject information created by the organisation but is not capable of being described as confidential or a trade secret? |
N/A |
Yes |
| Is the subject information held for or on behalf of a third party, including a government? |
Yes |
No |
| What information was lost? |
| Does the subject information contain confidential information, personal information or information capable of being characterised as a state secret? If yes, answer remaining questions in this section. |
Yes |
No |
| Does the subject information contain any credit card, bank account, online account and/or password information capable of being used to cause immediate loss to the data subject? |
Yes |
No |
| Does the subject information contain any health information, biometric information, other form of sensitive information or record of private behaviours or practices? |
Yes |
No |
| Does the subject information include indicia used to authenticate customers and customer accounts? |
Yes |
No |
| Does the subject information contain any government identifiers or information which has been deemed by the government to be confidential? |
Yes |
No |
| Does the subject information contain personal attributes or identifiers that are permanent or persistent? I.e. the information lost cannot be reset by the data subject? |
Yes |
No |
| If the subject information contains a number of items, consider the consequences of the data set as a whole: for example are names and addresses associated with particular services, needs or attributes? Is the subject information in the form of a customer list? |
Yes |
No |
| How many files were affected? |
More files |
Fewer files |
| How many individuals were affected? |
More individuals |
Less individuals |
| What is the nature of the breach and the perpetrator(s)? |
| Was the data accessed or downloaded from a secure system? If not, consider circumstances of data access. |
Yes |
No |
| Was the breach due to or caused by an error in systems or procedures? |
Yes |
No |
| Is the nature and extent of the breach understood or uncertain? |
Uncertain |
Understood |
| Do you know who caused the breach and the location of the data? |
No |
Yes |
What does the breach suggest about the party that has obtained the information? Are they:
- hacktivist?
- organised crime?
- competitor?
- business opportunist including current or former employee or contractor or current or former party who had been given access to systems?
- accidental recipient?
|
Hacktivist, organised crime, competitor |
Business opportunist, accidental recipient |
| Has the breach resulted in or is it likely to result in publication of the information? |
Yes |
No |
| Has the breach resulted in or is it likely to result in the use of the information for criminal or financial gain? |
Yes |
No |
| Is it possible that the information is held by one person or does it appear likely that it has been sold or distributed? |
Sold or distributed |
Held by one person |
| When did the breach/s first occur? |
Recently |
Some time ago |
| Did the breach involve repeated unauthorised access? If so, how long have they been going on? |
Longer period of time |
Shorter period of time |
| Is the breach the same or similar to one that has been suffered previously and come to public attention? |
Yes |
No |
| Does the breach indicate a failure to take reasonable steps to protect the information or a breach of any previous undertaking given in relation to the management of data? |
Yes |
No |
| What is the risk of harm to individual(s)? |
| Are any affected individual(s) particularly vulnerable in the context of this breach? For example does the lost data contain address information for individuals whose location is confidential? |
Yes |
No |
| Is there a risk to one or more data subjects of identity theft or fraud? |
High risk |
Low risk |
| Is there a risk to one or more data subjects of financial loss? |
High risk |
Low risk |
| Is there a risk to the physical safety one or more data subjects? |
High risk |
Low risk |
| Is there a risk to the emotional wellbeing of one or more data subjects? |
High risk |
Low risk |
| Is there a risk of loss of business or employment opportunities or one or more data subjects? |
High risk |
Low risk |
| Is there a risk of humiliation, damage to reputation or relationships to one or more data subject? |
High risk |
Low risk |
| Is there a risk of workplace or social bullying or marginalisation to one or more data subjects? |
High risk |
Low risk |
| What is the risk of harm to your organisation? |
| Is there a risk of the organisation losing business? For example, customers or government departments choosing not to utilise services in the future. |
High risk |
Low risk |
| Is there a risk of the organisation suffering financial loss? |
Risk dependent on nature of data and volume accessed |
Risk dependent on nature of data and volume accessed |
| Is there a risk of the organisation suffering reputational damage? |
High risk if notification required |
Low risk if no notification required |
| Is there a risk of the organisation incurring regulatory or criminal sanction? |
High risk dependent on nature of information accessed and cause of breach |
Low risk dependent on nature of information accessed and cause of breach |
| Is there a risk of further data breaches due to systems being comprised? |
Yes |
No |
| Has all of the subject information been retrieved? |
No |
Yes |
| Can the risk of identity theft be reduced or eliminated by changes to its system or advice to the affected individual or services? |
No |
Yes |
| Can the organisation remediate the breach, e.g. by compensating the individual(s)? |
No |
Yes |
Is it possible to:
- take all steps necessary to remediate any system failures;
- prevent or compensate any harm; and
- keep the data breach confidential?
|
No |
Yes |
| If the matter cannot be kept secret, when is it likely to become public knowledge? |
Sooner |
Later |
| Is it possible for the organisation to be compensated for any loss of business or for any financial loss? |
No |
Yes |
| Is it possible to negotiate with regulatory or law enforcement officials in relation to any applicable sanctions? |
No |
Yes |
| Is there an obligation to notify of the breach? |
| Is there an obligation to notify law enforcement of the data breach? |
Yes |
No |
| Is there an obligation to notify any regulatory or industry body of the data breach? |
Yes |
No |
| Is there an obligation to notify the data subject of the data breach or a person or organisation affected by the data breach? |
Yes |
No |
| Is there a contractual obligation to notify a party of a data breach? |
Yes |
No |
| Jurisdictional/law enforcement issues |
| Was the breach cross-jurisdictional? |
Yes |
No |
| Did the breach involve more than one jurisdiction outside your home jurisdiction? |
Yes |
No |
| If the breach is cross jurisdictional, is there a reliable and timely legal system in the jurisdiction where we believe the data or persons responsible are located? |
No |
Yes |
| Can the subject information be retrieved, including through law enforcement or court involvement? |
No |
Yes |
| If it is possible to recover the information, how long will it take? |
Long period |
Short period |