New notifiable data breaches report released

The Office of the Australian Information Commissioner (OAIC) has released its Notifiable Data Breaches Report: July – December 2021 (report).

The report is an important reminder to put accountability and individuals at the centre of data breach responses.

What is the Notifiable Data Breaches Report?

The report outlines key statistics regarding notifiable data breaches across impacted Australian industries. It also reinforces the OAIC’s expectations of ‘privacy best practice’ for organisations responding to data breaches under the Notifiable Data Breaches (NDB) scheme.

What is the NDB scheme?

The NDB scheme sets mandatory notification and reporting requirements for certain data breaches.¹ Under the NDB scheme, the OAIC and affected individuals must be notified of an ‘eligible data breach’, which occurs when:²

• personal information held by an entity is accessed or disclosed without authorisation, or is lost (with unauthorised access or disclosure likely), and
• the data breach is likely to result in serious harm to one or more individuals

unless the entity takes remedial action to prevent the likely risk of serious harm.

Further, the NDB scheme requires relevant entities to carry out an assessment of a suspected data breach within 30 days of becoming aware that there may have been an eligible data breach.³

The requirement to notify the OAIC and affected individuals of eligible data breaches reflects the core principles underpinning good privacy practice: transparency and accountability.

Key findings

Key findings of the report include:

• a total of 464 notified data breaches, up 6% from the previous reporting period⁴
• a 43% increase in data breaches due to human error,⁵ largely due to individuals emailing personal information to the wrong recipient⁶
• the leading source of notifiable data breaches continues to be malicious or criminal attack (55% of notified data breaches, down 9%), followed by human error (41% of notified data breaches, up 43%) and system fault (4% of notified data breaches, down 18%)⁷
• the health sector remains the highest reporting industry sector, with 83 notified data breaches, followed by finance (56 notified data breaches), and legal, accounting and management services (51 notified data breaches)⁸
• just over one third of all notified data breaches resulted from cyber security incidents, which mostly involved phishing, compromised or stolen credentials, and ransomware.⁹

Key takeaways

The OAIC, and the community more generally, expect entities to have strong accountability measures in place to prevent and manage data breaches. Entities are expected to put individuals at the centre of their data breach response.

In particular, the report reinforces the following expectations:

• 30 days is a maximum: The OAIC reports that some organisations took over 120 days to give notice after becoming aware of a data breach. The OAIC expects organisations to treat the 30-day period for carrying out an assessment of a suspected data breach¹⁰ as a maximum timeframe, with organisations aiming to complete an assessment before the 30-day timeframe. This is because the risk of affected individuals suffering serious harm usually increases over time. The OAIC expects reporting entities that take longer than 30 days to complete an assessment to explain any ‘reasonable grounds’ for the delay.¹¹
• Quick and general is better than slow and tailored: In the OAIC’s view, taking time to tailor notifications for individuals is not a sufficient reason for delaying notification. Best privacy practice, according to the OAIC, is to give prompt notification with general recommendations to all affected individuals, rather than delaying notification to prepare tailored notices.¹²
• Risk of serious harm must be assessed: When assessing whether serious harm has occurred, entities must take a holistic approach and consider factors such as the likelihood of harm occurring for affected individuals and the nature of the harm.¹³

How can breaches be mitigated?

In October 2021, the Australian Cyber Security Centre (ASCS) released updated guidance on mitigating the use of stolen credentials, warning that stolen credentials causing cyber-attacks was growing as users increasingly access sensitive information and services via remote means.

The ASCS’s guidance emphasises the importance of multi-factor authentication and the need to carefully implement and configure authentication and access services.

Other credential attack methods, such as brute force attacks and credential stuffing, can be addressed through the adoption of strong passwords, password recycling, and improved cyber security education and awareness.

This article was prepared with the assistance of members of the Queensland Law Society Privacy, Data, Technology and Intellectual Property Law Committee.

Footnotes
¹ Privacy Act 1988pt IIIC.
² Ibid ss26WE, 26WF, 26WK & 26WL.
³ Ibid s26WH.
⁴ Notifiable Data Breaches Report: July – December 2021 p5.
⁵ Ibid p5.
⁶ Ibid p16.
⁷ Ibid pp5, 13.
⁸ Ibid p19.
⁹ Ibid p15.
¹⁰ Privacy Act 1988 s26WH.
¹¹ Notifiable Data Breaches Report: July – December 2021 p12.
¹² Ibid pp12-13.
¹³ Ibid p15.