The Notifiable Data Breaches Scheme – One Year On…

On 22 February 2018 the Notifiable Data Breaches scheme was introduced to increase public awareness and protection against cyber hacking and data breaches of organisations that hold personal information.

The Privacy Act applies to all organisations that have a turnover of $3 million or more and requires organisations to notify the Information Commissioner of any data breaches which may have interfered with an individual’s personal information. Reporting obligations are mandatory so after its first year of operation it is interesting to note that most of the data breaches reported to the Information Commissioner involved a human factor, like sending information to the wrong person or someone’s login credentials being compromised through phishing or other means and then using those username and passwords in a cyber attack.

The Information Commissioner releases quarterly reports. Organisations and agencies are expected to act on the risks highlighted by those reports regardless of whether or not they were directly affected, so as a community, and as a nation, we can take steps to prevent similar breaches of personal data belonging to Australians.

Under the scheme, organisations must carry out an assessment whenever they suspect that there may have been loss of, unauthorised access to, or unauthorised disclosure of, personal information that they hold.

If serious harm is likely to result, organisations must notify affected individuals so they can take action to address the possible consequences, such as changing passwords and checking their credit record. They must also notify the Office of the Australian Information Commissioner.

From the scheme’s introduction on 22 February to the end of December 2018, 812 data breaches were notified to the Commissioner.

Comments from the Information Commissioner’s office are that the growing number of data breaches are consistent with trends experienced overseas and indicates agencies and organisations are complying with their notification obligations.

Of the 262 notifications for the quarter ended December 2018:

• 33% were attributable to human error
• 64% were attributable to malicious or criminal attacks
• 3% were attributable to system faults

The type of personal information involved in the breaches notified were:

• Contact information – 85%
• Financial details – 47%
• Identity information – 36%
• Health information – 27%
• Tax File Numbers – 18%
• Other sensitive information – 9%

The type of human error involved:

• Unintended release or publication
• Failure to redact or sending to wrong email or postal address
• Insecure disposal of information
• Failure to use BCC when sending an email
• Loss of paperwork/data storage device

The type of malicious or criminal attack breaches involved:

• Social engineering / impersonation
• Rogue employee/insider threat
• Theft of paperwork or data storage device
• Cyber incident

The different types of cyber incidents reported were:

• Hacking
• Phishing (compromised credentials)
• Brute-force attack
• Compromised or stolen credentials
• Malware
• Ransomware

The December Notifiable Data Breaches quarterly report is available at oaic.gov.au/ndbreport.

If you need assistance in reviewing your current practice and procedures to ensure they comply with the Privacy Act, or if you are concerned your personal information may have been compromised and would like to know what your rights are, contact our office for more information.