Breach response.
How Sliick assesses and responds to a suspected or confirmed personal information breach. Owned by Sliick Pty Ltd. See also the Cyber Security Incident Response Plan.
1. Purpose and scope
This plan sets out how Sliick assesses and responds to a suspected or confirmed breach of personal information Sliick processes, whether that information relates to a customer's own end users (processed on their behalf inside their Salesforce org, or in an optional off-platform storage or processing feature) or to a Sliick website visitor or contact.
Sliick contractually commits, in its Terms & Conditions, to handle personal information in accordance with the Australian Privacy Principles under the Privacy Act 1988 (Cth), and follows this plan as if bound by the Notifiable Data Breaches scheme.
This plan operates alongside, and shares its detection and containment steps with, Sliick's Cyber Security Incident Response Plan. A security incident becomes a personal information breach when the affected data includes personal information.
2. What counts as a breach
A personal information breach is unauthorised access to, unauthorised disclosure of, or loss of, personal information Sliick processes. Not every breach requires notification, only one that a reasonable person would conclude is likely to result in serious harm to the individuals concerned (an "eligible data breach").
3. Roles and responsibilities
- Incident Lead (Jerry Huang): owns the assessment, notification decision, and notification content for any suspected breach. Engages legal counsel before notifying where the assessment is unclear or the breach is significant.
4. Response process
- Contain: stop ongoing unauthorised access or disclosure as the first priority, sharing containment steps with the Cyber Security Incident Response Plan where the breach originates from a security incident.
- Assess: within 30 days of becoming aware of a suspected breach, or sooner wherever practical, determine:
- What personal information was involved, and whose
- Whether unauthorised access, disclosure, or loss actually occurred, or is likely to have occurred
- Whether the breach is likely to result in serious harm, considering the sensitivity of the information, whether it was protected (encryption, access controls), and who may have accessed it
- Notify, if an eligible data breach:
- Affected customers (and, where Sliick processes data on a customer's behalf, the customer is notified so they can meet their own notification obligations to their end users) without undue delay and no later than 72 hours after Sliick becomes aware, consistent with Sliick's Terms & Conditions
- Affected individuals directly, where Sliick holds a direct relationship with them (for example, website contacts) and notifying the customer alone would not reach them
- Affected customers receive an update at least daily for as long as the breach remains under active response, not only a single initial notice
- Document: every assessed suspected breach is logged, including breaches assessed as not requiring notification, with the reasoning for that assessment.
- Review: within two weeks of resolution, assess whether the breach reveals a gap in this plan, in access controls, or in how a specific feature (for example, optional off-platform storage or photo processing) handles personal information, and act on any finding.
5. Notification content
Where notification is required, it includes, to the extent known at the time:
- A description of the breach
- The kinds of personal information involved
- Sliick's recommended steps for the individual or customer in response
- What Sliick has done and is doing in response
- A contact point for follow-up questions
6. Plan maintenance
This plan is reviewed at least annually and after any notifiable breach. Material changes to what personal information Sliick processes, or how (for example, a new optional feature that sends data to a Sliick-operated service), trigger an out-of-cycle review.
Contact us
If you have any questions about this plan, please contact us.