How we respond to a data breach

Summary

This policy describes how Rise-X will respond to a data breach, in adherence to the Privacy Act 1988.

At Rise-X we implement a number of preventitive measure to protect against data loss and data breach. We use industry leading technology and practices to keep your data safe from loss and from unauthorised acess. While we strive for Zero incidents, like data loss, there are some things which are outside of our control and which we cannot eliminate, like malicious actors, cyber criminals or unintended mistakes from end users.

In addition to doing the right things to avoid a breach, we also have a number of recovery measures to minimise the impact of a notifiable data breach in the case where an event does occur.

This policy outlines:

• the steps that Rise-X will take to contain, assess, notify, and review any data breaches that might occur; and
• Notifiable Data Breaches and how Rise-X will address them if they occur.

All Rise-X employees, officers, representatives or advisers (‘Employees’) are required to understand and act in accordance with this policy.

Data Breach Definition

A data breach occurs when personal information or intellectual property held by Rise-X is subject to unauthorised access, disclosure, modification, or is lost. Data breaches can occur in a number of ways, including but not limited to:

• Unauthorised Third-party security breaches (e.g. Hackers)
• Unauthorised access, disclosure or modification by Employees and users
• Data breaches of Third-party services used by Rise-X that affect user data

Specific to Rise-X’s business, the following have been identified as possible data breach sources:

• Accidental loss, unauthorised access, or theft of classified material data or equipment on which data is stored, such as company laptops, tablets, or other end point devices.
• Unauthorised use, access to, or modification of data on Rise-X’s cloud databases and or information systems.
• Accidental disclosure of Rise-X user data or intellectual property, such as via email to an incorrect address.
• Unauthorised data collection by third parties posing as Rise-X, e.g. Phishing Scam
• Failed or successful attempts to gain unauthorised access to Rise-X information or information systems
• Unauthorised data collection by third parties through Malware infections on Rise-X cloud databases, or hardware equipment.

What to do if a Data Breach is Suspected?

At Rise-X we continually monitor the use of our services to identif and detect potential threats that may result in a notifiable data breach. If we become aware of any potential threats, we will assess the threat to determine whether or not a notifiable data breach breach has in fact occured. In the case where we determine that a notifiable data breach has occured we will inform impacted customers as soon as is reasonably possible and take recovery actions to limit the impact of the data breach.

Data Breach Response Plan

In accordance with OAIC recommendations, the following steps will be taken in response to a verified Data Breach.

• Contain the breach as soon as possible. Containment is ensuring that the breach itself is stopped. How a breach is stopped would depend on the particular instance but can include:
• The suspension of compromised accounts;
• Removal of malware/ransomware, where identified;
• Temporary platform downtime if necessary;
• Identify and notify customers that are affected as soon as possible
• Recovering any lost data, if possible;
• Repairing unauthorised modification of data, if possible;
• Restoring access to the platform when able.
• Assess the risks involved and the repercussions on respective stakeholders. The following may be considered in assessing the stakeholder risks:
• The type of information involved;
• Establish the cause and the extent of the breach;
• Assess the risk of harm to affected persons;
• Assess the risk of other harms: reputational damage;
• Notify Management and Affected Individuals where appropriate:
• Management must be notified of breaches as and when they occur, whether or not the breach is an eligible breach under the Notifiable Data Breach Scheme;
• Rise-X is an APP 11 entity under the Privacy Act 1988 (Cth) and is and must, therefore, comply with its obligations to customers under the Notifiable Data Breach Scheme;
• Data Breaches that are not eligible under the Notifiable Data Breach Scheme need not be reported and may be addressed internally.
• Prevent future similar breaches through strengthening security infrastructures and/or policies

Notifiable Data Breach Scheme

Under the Notifiable Data Breach Scheme, Rise-X is obliged to report data breaches that satisfy the following criteria:

• There is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that Rise-X holds;
• That the unauthorised access to or disclosure of, or loss of personal information is likely to result in serious harm to one or more individuals; and
• Rise-X has not been able to prevent the likely risk of serious harm with remedial action.

For further information on how to assess a notifiable data breach, you may refer to the OAIC’s APP guidelines.

Where Rise-X suspects that an eligible breach has occurred, it must carry out a reasonable and expeditious assessment of the breach: s 26WH(2)(a) of the Privacy Act. Where possible, the assessment must be completed within 30 days of Rise-X becoming aware of information that causes it to suspect that an eligible breach has occurred. If Rise-X is unable to complete the assessment within 30 days, a written document must be written which addresses:

• how all reasonable steps have been taken to complete the assessment within 30 days;
• the reasons for the delay; and
• that the assessment was reasonable and expeditious.

Where an Eligible Breach has occurred, Rise-X must inform affected users AND the Privacy Commissioner. Rise-X is allowed to disclose eligible breaches to users in either of the following ways:

• It may notify all Rise-X users
• It may notify affected Rise-X users
• It may publish a notification on its website

Disclosure of eligible breaches to the Privacy Commissioner may be done by online form.

For more information on disclosing Eligible Breaches under the Notifiable Data Breach Scheme, please refer to the OAIC’s webpage on the topic.

Usage monitoring and communication with end users

To respond to a data breach in a timely and responsible manner, Rise-X reserves the right to monitor your use of services in accrodnace with our Privacy Policy and our Acceptable use policy. In the event where a Notifiable Data Breach occurs we will inform you as soon as we become aware and will establish a formal communications channel to keep you infromed and updated until the breach has been contained, the assesment of the root casue of the breach completed and the corrective action identified and communicated.

If you have any additional questions about how we protect against and manage data breach please reach out to us, and we would be more than happy to take questions and feedback.