Data Breach Response Plan
Last updated: December 2025
This plan was last reviewed: December 2025
Important: This document outlines trackME's procedures for responding to data breaches in accordance with the Australian Notifiable Data Breaches (NDB) scheme under the Privacy Act 1988.
1. Purpose
This plan establishes procedures for:
- Detecting and identifying data breaches
- Containing and assessing breaches
- Notifying affected individuals and authorities
- Preventing future breaches
2. Definition of a Data Breach
A data breach occurs when personal information held by trackME is:
- Lost or stolen
- Subject to unauthorized access or disclosure
- Subject to unauthorized modification
- Made unavailable due to a cyber attack or system failure
A breach is "notifiable" if it is likely to result in serious harm to affected individuals.
3. Breach Detection
3.1 Monitoring Systems
- Automated security monitoring via Firebase
- Audit log reviews
- User reports of suspicious activity
- Security alerts from service providers
3.2 Indicators of a Breach
- Unauthorized access to user accounts
- Unusual data access patterns
- System intrusions or malware
- Physical theft of devices containing data
- Accidental data exposure
4. Immediate Response (Within 1 Hour)
- Contain the Breach:
- Disable compromised accounts
- Revoke unauthorized access tokens
- Isolate affected systems
- Change compromised credentials
- Document the Incident:
- Record date and time of discovery
- Document what was detected
- Note initial assessment of scope
- Preserve Evidence:
- Save audit logs
- Document system state
- Preserve any forensic evidence
5. Assessment (Within 24 Hours)
5.1 Assess the Breach
Determine:
- What data was accessed or compromised
- How many individuals are affected
- Whether the breach is likely to cause serious harm
- Whether the breach is ongoing
5.2 Serious Harm Assessment
Consider whether the breach is likely to result in:
- Identity theft or fraud
- Financial loss
- Psychological harm
- Reputational damage
- Discrimination or harassment
6. Notification Requirements
6.1 When to Notify
Notifications must be made within 72 hours if:
- The breach is likely to result in serious harm, OR
- We cannot determine if serious harm is likely
6.2 Who to Notify
- Affected Individuals: All users whose data was compromised
- Office of the Australian Information Commissioner (OAIC): Via online form at oaic.gov.au
- School Administrators: If school data is affected
6.3 Notification Content
Notifications must include:
- Description of the breach
- Types of data involved
- What we are doing to address the breach
- Steps individuals can take to protect themselves
- Contact information for questions
7. Notification Methods
7.1 Primary Method: Email
Send email to all affected users' registered email addresses with:
- Clear subject line: "Important: Data Breach Notification - trackME"
- Detailed information about the breach
- Steps to protect themselves
- Contact information
7.2 Secondary Methods
- In-app notification banner
- Post on website (if widespread breach)
- Direct phone calls for high-risk breaches
8. Remediation
8.1 Immediate Actions
- Fix security vulnerabilities
- Implement additional security measures
- Review and update security policies
- Conduct security audit
8.2 Long-term Actions
- Update security procedures
- Provide additional staff training
- Enhance monitoring systems
- Review third-party security
9. Post-Breach Review
Within 30 days of breach resolution:
- Conduct post-incident review
- Document lessons learned
- Update this response plan
- Review security measures
- Consider additional safeguards
10. Contact Information
Data Breach Reporting:
Simon Dass
Email: simon.dass.1996@gmail.com
VIT Registration: 615660
OAIC Notification:
Online: oaic.gov.au
Phone: 1300 363 992
11. Record Keeping
We maintain records of all data breaches, including:
- Date and time of breach
- Nature of breach
- Data involved
- Number of individuals affected
- Actions taken
- Notifications made
Records are retained for 7 years as required by law.