Breach Response Plan¶
Purpose¶
This plan outlines how Trove identifies, contains, assesses, and responds to data breaches. It is designed to ensure we meet our legal obligations under the Australian Privacy Act (NDB scheme) and the GDPR, and that affected customers and individuals are notified appropriately and promptly.
What Counts as a Data Breach¶
A data breach occurs when personal information held by Trove is:
- Accessed by an unauthorised person
- Disclosed without authorisation
- Lost (e.g. a device containing data is stolen)
- Altered without authorisation
- Subject to any other misuse
Not every breach is an eligible data breach under the NDB scheme - only those that are likely to result in serious harm to affected individuals. All suspected breaches must still be assessed, regardless of initial severity.
Breach Response Team¶
| Role | Person | Responsibility |
|---|---|---|
| Lead | Joshua Curci - CTO | Leads the technical response, assessment, and regulatory notifications |
| Executive | Sheree Andersen - CEO | Informed at the outset; approves external communications and escalations |
| Executive | Johnny Reid - COO | Informed at the outset; supports operational response and customer communications |
External Support¶
Cyber Insurance¶
Trove holds a Coalition cyber insurance policy. Coverage includes:
- Regulatory defence and penalties
- Access to a 24/7 breach response hotline
- Breach response services for up to 72 hours following notification
- Forensic investigation support
- Legal support for breach investigation and notification obligations
- Crisis management and public relations support
Policy notes
- Initial legal support is provided via Coalition panel providers
- Forensic response can be provided via Coalition Incident Response - where available, forensic fees are not subject to the policy retention
- Refer to the current policy schedule for applicable limits, retentions, and conditions
Download current policy schedule
External Legal / Privacy Counsel¶
Not separately pre-identified in the current internal process. The cyber insurance policy includes access to panel legal counsel and covers certain legal fees arising from a breach - this is the primary route for obtaining legal support during an incident.
Forensic Incident Response¶
Primary forensic support is available through Coalition Incident Response under the cyber policy. A separate non-Coalition forensic firm has not been identified in the current process documentation.
Response Phases¶
Phase 1 - Detect & Contain¶
Timeframe: Immediate
- Any team member who identifies or suspects a breach must notify the CTO immediately via direct message on Slack or phone
- The CTO notifies the CEO and COO as soon as the potential breach is identified
- The CTO takes immediate steps to contain the breach - this may include:
- Revoking compromised credentials or access tokens
- Isolating affected systems or services
- Preserving logs and evidence for investigation
- Disabling affected integrations or API connections
- Do not delete or alter any logs, files, or records related to the incident - these are needed for investigation and may be required by regulators
- Open a private Slack channel (e.g.
#incident-[date]) to coordinate the response and maintain a record of actions taken
Phase 2 - Assess¶
Timeframe: As soon as possible - within 30 days under NDB scheme
The CTO leads an assessment to determine:
- What personal information was involved
- How many individuals are affected
- How the breach occurred
- Whether the breach is an eligible data breach under the NDB scheme (i.e. likely to result in serious harm)
- Whether the breach triggers GDPR notification obligations (i.e. likely to result in a risk to the rights and freedoms of individuals)
Document the findings in writing. This record must be retained regardless of outcome.
Phase 3 - Notify¶
Timeframe: Varies by obligation - see below
Australian NDB Scheme¶
If the assessment concludes the breach is an eligible data breach:
- Notify the Office of the Australian Information Commissioner (OAIC) as soon as practicable using the OAIC notification form
- Notify affected individuals as soon as practicable - directly where possible, or via a public notice if direct contact is not feasible
If the breach is assessed as not eligible, document the assessment and outcome and retain on file.
GDPR¶
If the breach involves personal data of individuals in the EU/EEA:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (where it is likely to result in a risk to individuals' rights and freedoms)
- If the breach is likely to result in a high risk to affected individuals, notify those individuals directly without undue delay
The relevant supervisory authority depends on where the affected individuals are located. Seek legal advice if unsure.
Customer Notification¶
If a breach has affected data belonging to a Trove customer (brand):
- The CTO drafts a notification email outlining what happened, what data was affected, what steps have been taken, and what the customer should do
- The CEO reviews and approves before sending
- Notification is sent directly to the brand's primary contact by email as soon as the facts are confirmed - do not wait for the full investigation to be complete if the customer needs to take immediate action
Phase 4 - Recover¶
Timeframe: Ongoing
- Remediate the root cause - patch vulnerabilities, revoke and reissue credentials, update configurations
- Monitor affected systems for any further suspicious activity
- Confirm that containment measures are working and normal operations can resume
- Update any affected customers on resolution progress
Phase 5 - Review¶
Timeframe: Within 2 weeks of resolution
Once the breach is resolved, conduct a post-incident review covering:
- Root cause and timeline of events
- How the breach was detected
- Effectiveness of the response
- What should be done differently
- Any policy, process, or technical changes required to prevent recurrence
Document the review outcomes and assign owners for any follow-up actions.
Breach Log¶
All breaches - whether eligible or not - must be recorded and retained. The log should capture:
| Field | Detail |
|---|---|
| Date detected | |
| Date reported internally | |
| Description of the breach | |
| Data types involved | |
| Number of individuals affected | |
| Eligibility assessment outcome | |
| Notifications made (to whom, when) | |
| Containment and remediation actions | |
| Post-incident review completed |
Key Contacts & Resources¶
| Contact | Details |
|---|---|
| OAIC (Australia) | oaic.gov.au ยท 1300 363 992 |
| NDB Notification Form | oaic.gov.au/privacy/notifiable-data-breaches/notify-us |
| Cyber insurance | Coalition - 24/7 breach response hotline available via policy |
| External legal counsel | Via Coalition panel providers under cyber policy |
Related Documents¶
- Compliance Overview
- Incident Response Plan
- Acceptable Use Policy
- Records of Processing Activities (ROPA)
Review Cycle¶
This plan should be reviewed annually and after any breach or near-miss event.
Last reviewed: April 2026 Owner: CTO