Legal

Breach Response Plan

TransferToAI Pty Ltd
Last Updated: November 3, 2025
Effective Date: November 3, 2025
Jurisdiction: Australia, Queensland

Overview

TransferToAI has implemented a comprehensive incident response and breach management procedure to comply with the Notifiable Data Breaches (NDB) Scheme under the Privacy Act 1988.

This document outlines our commitment to:

  • Detecting security incidents quickly

  • Assessing patient harm risk accurately

  • Notifying affected parties transparently

  • Remediating breaches completely

  • Preventing future incidents

Response Objectives


ObjectiveTargetDetect security incidentsWithin 4 hoursAssess serious harm riskWithin 30 daysNotify affected clinicsWithin 24 hoursNotify OAIC (if required)Within 72 hoursComplete recovery & remediationWithin 30 daysConduct post-incident analysisWithin 30 days

Phase 1: Detection (T+0 to 4 hours)

What we monitor:

  • System health: CPU, memory, disk, network anomalies

  • Network traffic: Intrusion detection for malicious activity

  • Application logs: Unusual errors, exceptions, failed authentication attempts

  • Database access: Unauthorized queries or unusual patterns

  • Staff reports: Employees reporting suspicious activity

  • Customer reports: Clinic staff noticing unexpected behavior

How we respond:

  1. Alert is received (automated or manual)

  2. Incident logged with timestamp and severity estimate

  3. On-call security team notified immediately

  4. Initial assessment within 30 minutes

  5. Severity confirmed or adjusted (CRITICAL → HIGH → MEDIUM → LOW)

Severity Matrix:


SeverityRecords AffectedData TypeResponse SLACRITICAL1,000+Highly sensitive (voice, health data)Immediate (0 hours)HIGH100-1,000Sensitive patient data1 hourMEDIUM10-100Limited sensitivity4 hoursLOW<10Non-sensitive data24 hours

Phase 2: Investigation (T+4 to 12 hours)

Forensic analysis determines:

  • What data was accessed?

  • How many individuals affected?

  • When did the breach occur?

  • How did the attacker gain access?

  • Is the breach ongoing or contained?

Investigation techniques:

  • Log analysis (system, database, application)

  • Network traffic analysis

  • Database query pattern analysis

  • File system integrity verification

  • Memory forensics (if malware suspected)

Output: Formal scope document including:

  • Affected data categories

  • Number of affected individuals

  • Data sensitivity level

  • Timeline of unauthorized access

  • Root cause determination

Phase 3: Assessment (T+12 to 24 hours)

Serious Harm Evaluation (NDB Scheme):

We assess whether the breach poses "serious harm" using this matrix:


FactorWeightAssessmentNumber of individuals40%Threshold: 1,000+ triggers notificationData sensitivity30%Health, financial, identification data = higher riskVulnerability20%Elderly, children, vulnerable groups = higher riskHarm likelihood10%Identity theft, discrimination, physical harm = higher risk

Scoring: 0-10 (LOW) | 11-25 (MEDIUM) | 26-40 (HIGH)

  • Score 0-10: No OAIC notification required

  • Score 11-25: Re-evaluate in 7 days

  • Score 26-40: OAIC notification required

Decision: Documented by Legal Counsel & Incident Commander

Phase 4: Containment (T+24 hours)

Immediate actions to stop the breach:

  1. Access revocation: Revoke compromised API keys & session tokens

  2. Password reset: Force reset for affected accounts

  3. IP blocking: Block attacker IP addresses at firewall

  4. Account disablement: Disable compromised service accounts

  5. Vulnerability patching: Develop & deploy patches

  6. Network isolation: Isolate affected systems if necessary

Service availability:

  • Recovery Time Objective (RTO): 4 hours

  • Recovery Point Objective (RPO): 1 hour

Phase 5: Customer Notification (T+24 hours)

If breach confirmed, we notify all affected clinics within 24 hours:


Communication ChannelRecipientTimingEmailAll affected clinic administratorsWithin 24 hoursPhone call (if HIGH/CRITICAL)Primary clinic contactWithin 24 hoursDashboard alertClinic account portalSimultaneously

Notification includes:

  • Clear description of what happened

  • What data was affected

  • Approximate number of clinics & patients involved

  • Steps TransferToAI has taken to contain breach

  • Actions clinic should take (contact patients, review logs, etc.)

  • Dedicated support contact for questions

Example notification:

Subject: URGENT Security Incident Notification - TransferToAI

Dear Clinic Administrator,

We are writing to inform you of a security incident affecting TransferToAI that may impact your clinic's data.

What happened: On [DATE], we discovered [TYPE: unauthorized access/data exposure/system compromise].

What data was affected: [SPECIFIC DATA TYPES: e.g., patient call recordings, appointment details, clinic staff names and phone numbers]

How many clinics/patients: Approximately X clinics and Y patient records were potentially affected. Your clinic [CLINIC ID] was included.

What we have done:

  • Contained the breach and stopped attacker access

  • Patched the vulnerability

  • Preserved evidence for investigation

  • Notified the OAIC (if required by law)

What you should do:

  1. Check if patients contact you about this incident

  2. Review your access logs in your dashboard

  3. Consider notifying your patients of the incident

  4. Contact us with questions

Your support contacts:

Phase 6: OAIC Notification (T+72 hours if required)

If serious harm is confirmed, we notify the OAIC within 72 hours:

Required information:

  • Organization name & contact details

  • Affected clinic names (or generic description if 10+ clinics)

  • Personal information affected (specific data types)

  • Date breach occurred or was discovered

  • Number of individuals affected

  • Steps taken to remediate

Notification method: Official letter + email to OAIC

Compliance: Privacy Act 1988, Section 26WH (Notifiable Data Breaches Scheme)

Phase 7: Recovery & Remediation (T+7 to 30 days)

Technical fixes:


StepTimelineOwnerPatch development & testingWithin 2 hoursEngineeringPatch deployment to productionWithin 6 hoursDevOpsVulnerability rescanWithin 8 hoursSecurityBackup restoration (if data loss)Within 24 hoursDevOps

Enhanced controls:

  • Deploy additional WAF rules to prevent similar attacks

  • Increase audit logging retention

  • Deploy additional monitoring for suspicious activity

  • Test backup/restore procedures

Stakeholder updates:

  • Daily updates (first 7 days): Email to all affected clinics

  • Weekly updates (if serious breach): Email to OAIC

  • Final status: Comprehensive remediation report after 30 days

Phase 8: Post-Incident Analysis (T+30 days)

We conduct a thorough review to prevent future incidents:

Post-Mortem Review (2-hour meeting)

  1. Timeline review: What happened at each phase? Any delays?

  2. Root cause analysis: Why did the vulnerability exist?

  3. Impact assessment: What was the actual patient impact?

  4. Improvement identification: What could we have done better?

  5. Action items: Assign owners, set due dates

Post-Mortem Report (published internally & to clinic)

Contents:

  • Executive summary

  • Incident timeline

  • Root cause

  • Contributing factors

  • Impact assessment

  • What went well

  • What could improve

  • Remediation steps taken

  • Prevention measures for future

  • Recommendations & action items

Internal training

  • Knowledge transfer to incident response team

  • Updated procedures & runbooks

  • Compliance training on Privacy Act requirements

Detection Mechanisms

We use a layered approach to detect breaches:


Detection MethodWhat It MonitorsAlert TriggerCloudWatchSystem metrics (CPU, memory, disk, network)Spike 3x baseline for 5 minutesIntrusion Detection System (IDS)Network traffic anomaliesKnown attack signatures matchWeb Application Firewall (WAF)HTTP requestsSQL injection, XSS attempts blockedApplication LogsErrors, exceptions, unusual patternsError rate spike or new exception typeDatabase Audit LogsUnauthorized SQL queriesUnauthorized SELECT on sensitive tablesFailed Authentication LogsBrute force attempts10+ failed logins in 5 minutesFile Integrity MonitoringSystem file changesHash mismatch on core files

Our Commitment

  • Transparency: Clinics are notified immediately of any breach

  • Accountability: We take responsibility for our security

  • Speed: We detect incidents within 4 hours and notify within 24 hours

  • Thoroughness: We conduct complete forensic analysis

  • Prevention: We learn from incidents and improve continuously

Support & Questions

For questions about this plan or to report a suspected security issue:

Email: security@transfertoai.com.au
Privacy inquiries: privacy@transfertoai.com.au
General support: support@transfertoai.com.au

Compliance

This plan complies with:

  • Privacy Act 1988 (Australian Privacy Principles APP 13)

  • Notifiable Data Breaches (NDB) Scheme

  • Queensland Privacy Commissioner guidance

Last Updated: November 3, 2025
Next Review: 6 months from approval

OAIC-compliant. Data always stays in Australia.

OAIC-compliant. Data always stays in Australia.