OAIC releases latest notifiable data breaches report

The Office of the Australian Information Commissioner (OAIC) has released its Notifiable Data Breaches Report: January-June 2021.

The OAIC has a range of powers and responsibilities under the Australian Information Commissioner Act and exercises powers under the Freedom of Information Act, the Privacy Act and other laws.

The report, released this week, summarises statistical information about notifications received under the National Data Breaches (NDB) scheme.

Key statistics revealed by the report include:

• a total of 446 notifications, down 16% from the period July to December 2020¹
• of these notifications, malicious or criminal attacks remain the leading source of data breaches (65%)
• the health sector remains the highest reporting industry sector, followed by finance and legal, accounting and management services.

The report also highlights emerging issues and priorities for the OAIC. The following positions outlined in the report may be of particular interest to practitioners and their clients, as they provide an indication of the OAIC’s regulatory approach to assessments and notifications undertaken in response to a data breach:

Impersonation fraud

The report says there were a number of data breaches resulting from impersonation fraud, with indications that malicious threat actors are gathering sufficient personal information from sources such as the dark web to circumvent identity verification controls.

The OAIC has noted that it “generally considers impersonation fraud to be an eligible data breach under the NDB scheme where the personal information the entity holds is accessed by a third party and results in a likely risk of serious harm”.

The OAIC considers that this “satisfies the test of an unauthorised disclosure, even when the malicious actor already held some of the personal information”.

Ransomware

During the reporting period a number of entities assessed that a ransomware attack did not constitute an eligible data breach due to a ‘lack of evidence’ that access to, or exfiltration of, data had occurred.²

In the report, the OAIC states that it “is insufficient for an entity to rely on the absence of evidence of access to or exfiltration of data to conclusively determine that an eligible data breach has not occurred”.³ The report notes further that, although “an entity cannot confirm whether a malicious actor has accessed, viewed or exfiltrated data within the comprised network, there will generally be reasonable grounds to believe that an eligible data breach may have occurred and an assessment under section 26WH [of the Privacy Act] will be required”.

Due to the prevalence of ransomware attacks, which have increased by 24% in the reporting period, the OAIC states that it expects entities to have appropriate internal practices, procedures, and systems in place to undertake a meaningful assessment under section 26WH.

The OAIC identified best practice as including:

• appropriate audit and access logs
• backup systems that are routinely tested for data integrity
• appropriate incident response plan
• engaging with cybersecurity experts at an early stage to conduct a forensic analysis if ransomware attacks occur.⁴

The OAIC provides a link to the Australian Cyber Security Centre which publishes information on how to protect your organisation against ransomware attacks.

While the report did not directly address the issue of the payment of ransom demands, practitioners and their clients should be alert to possible law reform following the introduction by the federal Opposition of the Ransomware Payments Bill 2021 (Cth) to Federal Parliament and likely increased scrutiny of ransom payments following this development.

Practitioners and their clients should also have regard to the ethics and legality of making such payments, as the Queensland Law Society has addressed previously in David Bowles’ article prepared for the QLS Ethics and Practice Centre.

The QLS Privacy and Data Law Committee continues to monitor these issues.

Key takeaways

The report highlights the need to know what triggers the notification obligation under the NDB scheme. One trigger is when personal information is lost where there is a likelihood, versus the actuality, of unauthorised access or disclosure.

While the OAIC has a range of regulatory powers available to it, the potential penalties for non-compliance are high – 2000 penalty units (the current total is $444,000) with a court having power to order bodies corporate to pay up to $2.22m.

For more information:

• See the OAIC media release
• QLS also seeks to provide members with information about the latest threats and risks, and provide basic tips for best practice in legal practices. See the QLS Cybersecurity page.

If practitioners wish to raise any general queries or issues for the Privacy and Data Law Committee’s consideration, please email policy@qls.com.au. 

This article has been prepared with the assistance of members of the QLS Privacy and Data Law Committee.

Footnotes
¹ Most estimates conclude that the incidents reported to OAIC are only a small percentage of cybercriminal activity.
² Office of the Australia Information Commissioner, ‘Notifiable Data Breaches Report: January-June 2021’, p18.
³ Ibid.
4 Ibid.