This document sets out VIG's response to a data breach - the accidental or unlawful access, destruction or modification of company or user data.

All VIG personnel are trained to report any suspected or actual data breach to the Data Breach Coordinator (DBC), who is responsible for the execution of this plan.

Current DBC: Greg Fawcett


Target: Five minutes after breach notification

Evaluate available information to determine:

  • Is the danger likely to be real?
  • Is effective containment action possible?
  • Do VIG personnel need to be informed?


Target: One hour after breach notification

If containment is possible, it is the first priority. If not, move on to analysis.

Consider the following actions to prevent on-going harm:

Containment is likely to disrupt services, so inform VIG personnel immediately.


Target: Four hours after breach notification

  1. Create a new data breach report document (DBRD) specific to this data breach. The DBRD must include all information about the breach and our response to it.
  2. Gather and document evidence from:
    • VIG personnel
    • Users
    • System logs
    • Application logs
    • Email accounts
    • Vendors
  3. Assess risk of danger to affected individuals and organisations as NO RISK, MINOR RISK or MAJOR RISK. Document how this assessment was reached in the DBRD.


Target: Four hours after breach notification

Make a communications plan with stakeholders, informing them of the breach, our assessment of the risk, what we're doing about it, and how often they can expect updates.


Target: Seven days after breach notification

Complete the investigation of the data breach event, informing stakeholders of any progress. Document all findings in the DBRD.

Consider ways to reduce the risk of similar events, and implement them. These might include:


The DBC will review the entire incident, including the effectiveness of this data breach plan. The plan will then be updated with any identified improvements.

The DBRD will be signed off and made available to all VIG personnel. Future DBCs will be required to read and discuss all DBRDs as part of their training.