One Year of Mandatory Data Breach Reporting: Insights and Lessons

The strength of the global economy is inextricably tied to data. Information has never before been created, stored, used and shared on so large a scale, underpinning trade and commerce, government and public services across the world. The corollary of our total data-dependence is that concerns about information security are at an all-time high. Australia is now just one of many countries to have introduced a mandatory data breach reporting regime, with the EU, Canada and New Zealand following soon after.

The Notifiable Data Breaches (NDB) scheme came into effect in February 2018, requiring Australian Government agencies and private organisations that are subject to privacy obligations under the Privacy Act 1988 (Cth) to report data breaches where personal information they hold has been lost or subject to unauthorised access or disclosure. If that event is likely to cause ‘serious harm’, the entity has to alert both the individual(s) concerned and the Office of the Australian Information Commissioner (OAIC).

One year on, the OAIC has released a 12-month Insights Report to mark the recently held Privacy Awareness Week, in addition to the four Quarterly Statistics Reports it has published since the introduction of the NDB scheme.

One important—if expected—result to note was the substantial increase in reported data breaches. Compared to the previous 12 months under the earlier voluntary scheme, the OAIC has seen a 712% increase in notifications. It seems that entities understand their obligations, bringing to light the scale of the challenges we face as a nation in the field of information security.

So, what else have we learned?

Key Findings

Of the 964 eligible data breaches reported in the 12 months leading up to 31 March 2019, a disquieting 60% of those were related to malicious or criminal attacks. The most common method among these was phishing, with many attackers succeeding in obtaining credentials like usernames and passwords to gain access to protected systems and information.

Also concerning was human error as a significant cause of data breach. Over a third of all reported breaches were occasioned by human error, such as unintended disclosures (accidentally mis-sending an email, anyone?), lost devices, and so on.

Another interesting finding was to do with affected sectors. In this regard, health service providers took first place by a long shot, with over 200 eligible data breaches reported. A startling 55% of these were due to human error, putting in stark relief the need to have robust policies, procedures and training in the health sector. This is particularly so with the advent of My Health Records, rendering the potential scale and impact of a breach much larger as the health data ecosystem continues to grow.

Lessons

Whether or not your organisation is regulated by the NDB scheme, the OAIC’s Report serves as an important reminder of what can go wrong and the need to take steps to better protect the information you hold.

One key take-away arising out of the staggering proportion of malicious attacks and human errors is the need for comprehensive and regular staff training. All personnel within your organisation should be alert to the ways in which they may unwittingly facilitate access to—and misuse of—personal and sensitive information, and should be reminded that everyone has a role to play in the maintenance of information security.

The NDB scheme has played an important role in highlighting the importance of swift and proactive management of data breaches. As put by the Australian Information Commissioner and Privacy Commissioner, Angelene Falk:

The requirement to notify individuals of eligible data breaches goes to the core of what should underpin good privacy practice for any entity—transparency and accountability.”

“It’s also an opportunity for organisations to earn back trust by supporting consumers effectively to prevent or manage any potential harm that may result from a breach.”

Even if your organisation is not caught by the obligations, or in cases where you determine that a given data breach does not meet the eligibility threshold, working with affected individuals to minimise the consequences of data breaches promptly and openly represents a positive change in the privacy landscape.

If you have any questions about your privacy risks or obligations, feel free to get in touch with our Business team.

Written by Katie Innes with the assistance of Bryce Robinson.