Over a year has passed since the Notifiable Data Breaches Scheme (Scheme) under the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth) took effect. The Scheme outlines the mandatory requirements for agencies and organisations covered by the Privacy Act 1988 (Cth) in responding to data breaches.
On 13 May 2019, the Office of the Australian Information Commissioner (OAIC) issued its Notifiable Data Breaches Scheme 12-month Insights Report. The report details trends that have emerged during the first 12 months of the Scheme.
The OAIC reported that since the introduction of the Scheme, data breach notifications have increased by 712%. The OAIC received a total of 1,132 notifications between 1 April 2018 and 31 March 2019. Of the notifications received, 964 were “eligible data breaches”, which are breaches where:
- there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information, that an organisation or agency holds;
- this is likely to result in serious harm to one or more individuals; and
- the organisation or agency hasn’t been able to prevent the likely risk of serious harm with remedial action.
The most common causes of these breaches were malicious attacks, which represent 60% of all reported breaches. Some of the other key findings identified in the report include that:
- 86% of breaches reported to the OAIC involved the disclosure of contact information;
- 55% of health sector data breaches and 41% of the finance sector data breaches were due to human error such as unintended disclosure of personal information or the loss of a data storage device; and
- there were 153 phishing breaches (i.e. fraudulent attempts to obtain personal information by disguising as someone else in an electronic communication).
The highest number of data breach notifications were made by the health sector, followed by finance, legal, accounting and management services, education then personal services.
The OAIC recommended the following best practice tips:
- People and training: All employees should be trained on how to detect and report email-based threats such as phishing. Best practice involves a dedicated training program including face-to-face training and e-learning.
- Preventative technologies and processes: Organisations should invest and implement in preventative technologies and processes, such as multi-factor authorisation, encryption, secure data transfer and monitoring systems.
- Preparation: Organisations should prepare for data breach incidents with a data breach response plan (see our earlier article here) and conduct regular exercises or data breach simulations.
- Assessment of harm: Organisations should assess what data they are storing and how data breaches could affect their customers (i.e. whether a data breach is likely to result in serious harm for affected individuals).
- Post-breach communication: Organisations should establish channels to effectively communicate in plain English with customers following a data breach.
The report concluded that organisations should now be fully aware of their obligations and have processes in place to notify and minimise harm to individuals. The report also noted that the OAIC will consider regulatory action against organisations that fail to respond appropriately, including exercising enforcement powers where necessary.
Organisations should take the opportunity to review their privacy policies and procedures, in particular, their data breach response plans.
If you have any questions about your privacy risks or obligations, please contact:
M: 0408 446 013
Published: 25 July 2019