Notifiable Data Breach Legislation
Deliberate criminal attacks behind most notifiable data breaches
The Office of the Australian Information Commissioner has released their second “Notifiable Data Breaches Quarterly Statistics Report” advising statistical information about notifications received under the Notifiable Data Breaches Scheme from 1 April to 30 June 2018[i].
The NDB scheme commenced on 22nd February 2018, and this is the first report that contains activity data from a full quarter.
The total number of data breach notifications received in the quarter was 242 which brings the total amount received in 2018 to 305, with the addition of the 63 received from 22nd February and the end of March 2018.
The largest source of data breaches for all sectors was malicious or criminal attack (59 per cent) followed by human error (36 per cent) and system fault (5 per cent). Malicious or criminal attacks differ significantly from human error as they are deliberate acts designed to exploit system vulnerabilities.
These new figures are in contrast to the previous reporting period which identified human error (51 per cent) as the highest cause of data breach followed by malicious or criminal attack (44 per cent)[ii].
The sector that reported the highest number of data breaches was the private health sector (20 per cent) followed by the finance sector (15 per cent) with the legal, accounting and management services sector (8 per cent), the private education sector (8 per cent), and the business and professional associations sector (6 per cent) behind.
PCI DSS eBook: How to achieve and maintain PCI DSS compliance.
Human error continues to be an issue across all sectors and is the primary cause of data breach in the private health sector (59 per cent) followed by malicious or criminal attack (41 per cent). Human error includes incidents in which a mistake made by a person caused the data breach. Common errors include personal information sent to the wrong recipient, insecure disposal of personal information, or loss of paperwork or a storage device. Most notifications (69 per cent) in the private health sector caused by human error involved the data of 100 individuals or less.
Reducing human error continues to be the most significant challenge to organisations with many failing to implement adequate technology to remove human exposure to personal data. Contact Centres represent the most significant risk of human error with many still exposing contact centre agents to credit card data. Contact centre solutions like AgentSecure reduce PCI DSS compliance scope by 90% by ensuring credit card data never enters the contact centre and therefore eliminating the risk of human error.
[i] Office of the Australian Information Commissioner, ‘ Notifiable Data Breaches Quarterly Statistics Report: 1 April – 30 June 2018, accessed 3 August 2018 at https://www.oaic.gov.au/resources/privacy-law/privacy-act/notifiable-data-breaches-scheme/quarterly-statistics/notifiable-data-breaches-quarterly-statistics-report-1-april-30-june-2018.pdf
[ii] Office of the Australian Information Commissioner, ‘ Quarterly Statistics Report: January 2018 – March 2018, accessed 3 August 2018 at https://www.oaic.gov.au/resources/privacy-law/privacy-act/notifiable-data-breaches-scheme/quarterly-statistics/Notifiable_Data_Breaches_Quarterly_Statistics_Report_January_2018__March_.pd