Privacy update: Notifiable Data Breach scheme, a year on

Mar 13, 2019

A year has passed since the mandatory Notifiable Data Breaches scheme (NDB scheme) commenced under the Privacy Act 1988 (Cth) (Act).

Our latest Privacy update provides a reminder to the obligations imposed for data breach and considers key statistics drawn from the latest quarterly report by the Office of the Australian Information Commissioner (OAIC) on Notifiable Data Breaches.

What is the NDB scheme?

The scheme introduced a mandatory data breach notification regime which applies to those already bound by the Act, including businesses with an annual turnover of $3 million or more.

The NDB scheme imposes substantial obligations on regulated entities to notify affected individuals and the privacy watchdog, the OAIC, about data breaches that are likely to result in serious harm.

In summary, a potentially reportable data breach occurs when:

  • there is unauthorised access to, or unauthorised disclosure of, personal information held by a business in circumstances where a reasonable person would conclude that this would be likely to result in serious harm to any of the individuals to whom the personal information relates; or
  • personal information is lost in circumstances where unauthorised access to or unauthorised disclosure of the information is likely to occur, and a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates; and
  • in either case, the business has been unable to prevent the likely risk of serious harm with remedial action.

Notifiable Data Breaches Quarterly Statistics Report: 1 October ― 31 December 2018

262 data breaches

The OAIC reported 262 data breaches for the quarter, reflecting an increase of 17 from the previous quarter.

64% malicious or criminal attacks

Perhaps the most important statistic yielded from the report is that malicious or criminal attacks continue to be the main source of data breaches, accounting for 68% of data breaches this quarter. There has been a decrease in the number of breaches caused by human error.

As outlined in the report, the main types of ‘malicious or criminal attack’ are calculated cyber incidents such as phishing (sham attempt to gain personal information through emails disguised as being from a reputable source), malware or ransomware (disruptive software), credential theft, brute-force attacks (automated software designed to obtain PIN numbers by trial-and-error guesswork) and social engineering/impersonation
(being deceived into revealing personal information to someone online for fraudulent purposes).

A large proportion of these attacks appear to have exploited human errors, such as clicking on an attachment contained in a phishing email.

Aside from the cyber incidents described above, offline example of malicious or criminal attacks included theft of paperwork or data storage device and actions taken by a rogue employee/insider threat.

33% human error

The second highest cause of data breaches this quarter was human error (33%), mostly attributed to the sending of personal information to the wrong recipient by email or mail and unintended release/publication of personal information.

Human error involving unintended release of personal information was the sub-category of data breach affecting the greatest number of people, with an average of 17,746 affected individuals per breach.

Most affected sectors

The sectors with the highest incidence of data breaches were health service providers (the most highly represented sector), finance, legal/accounting, private education and mining.

Key lessons

Safeguard credentials

Given the extremely high incidence of malicious or criminal cyberattacks exploiting human errors, the need to educate individuals within your organisation about safeguarding credentials and protecting access to information is as vital as ever.

Regular re-setting of passwords and avoiding re-use of the same passwords is recommended by the OAIC. Likewise, careful monitoring of suspicious scam-like behaviour (and sharing these observations within your organisation) will assist to increase awareness of cyber hacker tricks of the trade.

Prevention strategies

Business should have in place robust privacy procedures aimed at preventing data breaches and implementing strategies including, at minimum, a data breach response plan, identifying the potential need to report breaches that have occurred.

Your existing privacy strategies and practices should be carefully reviewed and amended to put you in the best possible position to avoid a data breach or mitigate the effect of one.

More information

For more information, or advice regarding an existing privacy policy or to have a policy drafted, please contact Daniel Kovacs, Principal Lawyer, on (03) 8600 8859 or dkovacs@kcllaw.com.au, or Dana Morrison, Lawyer, on (03) 8600 8809 or dmorrison@kcllaw.com.au.

Author

More information on the authors, Daniel Kovacs and Dana Morrison.

Note: This update is a guide only and is not intended to constitute legal advice.

BACK