As the third anniversary of the introduction of the scheme approaches, the Office of the Australian Information Commissioner (OAIC) has published its bi-annual report on the Notifiable Data Breaches (NDB) scheme (PDF 4MB). This reveals ongoing trends and provides some further guidance on the OAIC’s views of effective breach responses.
Between 1 July and 31 December 2020, a total of 539 eligible data breaches were notified to the OAIC, up 5% on the previous 6 months. The key causes remain human error (which caused 38% of all breaches) and malicious or criminal attacks (58%). The health sector remains the sector reporting the highest number of breaches and the Australian Government has entered the top 5 sectors for notifications. The OAIC has reflected on the privacy risks that working from home arrangements as a result of COVID-19 restrictions has had with a notable increase of data breaches resulting from human error. However, it is too early to form any firm conclusions.
Malicious or criminal attacks (which include cyber incidents, social engineering and rogue employees or insider threats) and human error continue to dominate the key causes of data breaches notified to the OAIC for the period. The majority of these attacks involved cyber incidents from unauthorised access to accounts using compromised or stolen credentials, with email-based phishing still one of the greatest security vulnerabilities for organisations.
The human factor continued to be a major cause of breaches rising 18% from 173 notifications to 204 (in particular in the health sector). These errors are still often simple, such as sending personal information to the wrong email address, accidental release/ publication, and a failure to use the blind carbon copy (BCC) function when sending emails to large groups of people. These errors, whilst simple, can impact large numbers of people. Unauthorised disclosure affected an average of 20,117 individuals per breach.
Time taken to notify: the OAIC has observed a significant variation in the time taken by entities to notify, which should be as soon as practicable after concluding that an eligible data breach has happened and within the prescribed 30 day period. It emphasises the importance of timely assessment and notification which helps individuals to make informed decisions about and take timely steps for protecting themselves. Any delay must be reasonable and justified in the circumstances.
Content of notification: the OAIC has found some notices to be deficient and did not enable the individuals to understand the risks. It reiterated the information that must be provided which includes: a clear explanation of the eligible data breach and types of personal information impacted as well as recommendations about steps the individuals should take.
The OAIC highlighted a particular example of a good data breach response and assessment across a total of 35 days. This included:
Organisations should be taking the following measures and reminders to address the risks highlighted by the report:
The Security Legislation Amendment (Critical Infrastructure) Bill 2020 introduced in Parliament in December 2020 to uplift the security and reliance of Australia’s critical infrastructure. This will expand the scope of the Security of Critical Infrastructure Act 2018, to include 11 critical industries including data storage and processing health care and medical. This will mean additional risk management obligations as well as an obligation to also report cyber security incidents to the Australian Signals Directorate. This change is aimed at ensuring Australia’s approach to critical infrastructure evolves to maintain ongoing security and resilience in the current climate.
In addition, the Privacy Act Review that commenced in October 2020 will consider the impact and effectiveness of the NDB scheme now three years since its implementation.