A survey conducted by Queensland’s information commissioner reveals that government agencies in the state need to do more to prepare for a future mandatory data breach reporting scheme.
Out of 221 agencies, 107 responded to the survey, and less than half of them (52) had a documented data breach response plan, with varying levels of comprehensiveness.
The absence of a document titled “data breach response plan” does not necessarily indicate a lack of preparedness, as agencies may have plans with different names that cover the required elements.
Only 27 out of the 52 agencies with a response plan had tested it, with some conducting cyber security exercises and others simulating actual privacy or data breaches.
While most agencies had established a response team, only 29 of them provided descriptions of the team members’ roles, and only 18 agencies shared current contact details for the team members.
The Queensland government should be prepared for a future mandatory data breach notification scheme, as endorsed by the state cabinet in the middle of last year. It is recommended that agencies consider publishing information about their data breach response plans to foster community confidence and trust in the government.