The Stats: Australian Data Breaches

Organisations are required to report Notifiable Data Breaches to the OAIC in accordance with the Privacy Act 1988 (Cth)’s (Privacy Act) “Notifiable Data Breach Scheme” (NBD Scheme). A data breach occurs when “personal information” is lost or subjected to unauthorised access or disclosure. The breach must be reported to the OAIC (and affected individuals notified) when it is likely to result in “serious harm” to the affected individuals (which OAIC guidance suggests may include serious physical, psychological, emotional, financial, or reputational harm).

In the time that the NDB Scheme has been in place, hundreds of breaches have been reported to the OAIC. Indeed, in the 2021-22 financial year alone the OAIC was notified of 856 breaches.

Key Learnings

The bi-annual report provides an invaluable resource for businesses when reviewing data management risks and practices or preparing privacy impact assessments.

Some key insights from the January 2022 – June 2022 report include:

• malicious or criminal attacks remain the leading source of breaches reported (63%) followed by human error (33%);
• the health sector remains the highest reporting sector with 20% of January – June 2022 breaches reported attributed to it;
• contact information remains the most common type of personal information impacted;
• most breaches reported (91%) impacted 5,000 individuals or fewer; and
• 24 of the breaches reported affected more than 5,000 people, and were attributed to:
  • ransomware incidents (9);
  • compromised credentials (9);
  • hacking (3);
  • malware (2); and
  • a system fault (1).

Of the malicious or criminal attacks, 65% of attacks were attributed to “Cyber Incidents”, including ransomware (31% of cyber incidents), phishing (26% of cyber incidents) and compromised or stolen credentials (25% of cyber incidents). The two leading factors behind human error breaches were personal information being sent to the wrong email recipient (38%) and unauthorised disclosure (unintended release or publication) (24%). Unintended disclosures also had the highest impact per breach, affecting, on average, 134 people

What can businesses do to protect themselves?

Following the recent Optus and Medibank data breaches, businesses (and their data practices) have been squarely in the public eye, and in the sights of the OAIC, and may soon be subject to significantly increased penalties for repeated or serious privacy breaches (which we wrote about here). So, what can your business do to protect itself and the data it holds?

Training

It is clear from the OAIC report that the human elements in our systems are still a key vulnerability. The Australian Cyber Security Centre recommends that all businesses should prioritise improving staff awareness of cyber security issues and threats, including by clearly documenting and training employees in cyber security systems and plans, and designing and implementing cyber security awareness programs for all employees.

Risk mitigation and appropriate security

Businesses seeking to implement best practice data management should look to the ‘privacy by design’ approach recommended by the OAIC, which calls for businesses to build privacy into the design specifications and architecture of new systems and processes.

A key mechanism for achieving this is by undertaking regular privacy impact assessments (PIAs) prior to any new project that involves personal information. A PIA can assist in identifying the privacy risks associated with a project and developing appropriate strategies for mitigating those risks.

The Australian Cyber Security Centre also has a number of recommended strategies organisations can implement to mitigate cyber security incidents, which can be accessed here. For further information on securing personal information, you may also wish to refer to the OAIC guide here.

Data destruction and de-identification

A key issue highlighted by the Optus and Medibank data breaches is the importance of destroying or de-identifying data that is no longer required. Australian Privacy Principle 11 requires businesses to take reasonable steps to destroy or de-identify information that is no longer needed for any lawful purpose. To avoid breaching this requirement businesses must have robust document destruction and/or de-identification procedures in place. We expect data retention and the scope of personal information collected by businesses will be a key focus of the regulators moving forward in the wake of the Optus and Medibank data breaches.

Next steps

It is essential that businesses remain live to the very real threat of data breaches, both via malicious means as well as human error. The risks associated with such breaches can be mitigated by implementing best practice data protection procedures and policies. The OAIC has also separately made clear that it is not enough just to have such policies and procedures[1]- businesses must also be operationalising them by requiring regular training and monitoring compliance.

For further information, please contact Hamish Fraser, Belyndy Rowe, James Hoy and Emma Croft.

[1] Commissioner Initiated Investigation into Uber Technologies, Inc. & Uber B.V. (Privacy) [2021] AICmr 34 (30 June 2021)