Notifiable Data Breach Legislation
Human error still behind many reported data breaches
The recently released Notifiable Data Breaches Quarterly Statistics Report 1 July – 30 September 2018 [i] documents notifications received by the Office of the Australian Information Commissioner (OAIC) in the last quarter under the Notifiable Data Breaches (NDB) scheme.
There were 245 notifications received in this period. Malicious or criminal attacks accounted for 57 per cent of data breaches noted, only briefly improving from the 59 per cent reported last quarter. Unlike human error (up one per cent from last quarter to 37 per cent), these attacks are deliberately carried out for financial and other gain. Examples include phishing, malware, ransomware, brute-force attack and hacking by other means, as well as social engineering or impersonation and actions taken by a rogue employee or insider threat. System fault was also up one per cent from last quarter now sitting at 6 per cent.
NDBS Fact Sheet: Are you at risk of data breach? Download our fact sheet today
The highest number of data breaches was once again reported by health service providers (18 per cent), which is down 2 per cent since last quarter. They were followed closely by the finance sector (14 per cent), also down 1 per cent from last quarter. Legal, accounting & management services were a close third at 14 per cent, which is a leap from the 8 per cent reported last quarter.
Human error continues to be an issue in all sectors and remains the primary cause of data breach in the private health sector, although breaches due to human error have dropped slightly from 59 per cent last quarter to 56 per cent. Across all sectors, sending personal information to the wrong recipient via email accounts for 12 per cent of all data breaches, followed by the unintended release or publication of personal information (6 per cent), loss of paperwork/data storage device (5 per cent), and sending personal information to the wrong recipient via mail (5 per cent). However, this quarter also saw incidents where personal information was provided to the wrong recipient by channels other than email, fax or mail, such as delivery by hand or uploading to a web portal.
Australian Information Commissioner and Privacy Commissioner Angelene Falk says, “Everyone who handles personal information in their work needs to understand how data breaches can occur so we can work together to prevent them.” [ii]
“Organisations and agencies need the right cyber security in place, but they also need to make sure work policies and processes support staff to protect personal information every day.”
[i] Office of the Australian Information Commissioner, ‘ Notifiable Data Breaches Quarterly Notifiable Data Breaches Quarterly Statistics Report 1 July – 30 September 2018, accessed 7 November 2018 at https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme/quarterly-statistics-reports/notifiable-data-breaches-quarterly-statistics-report-1-july-30-september-2018
[ii] Office of the Australian Information Commissioner, ‘Preventing data breaches should be business as usual’ at https://www.oaic.gov.au/media-and-speeches/media-releases/preventing-data-breaches-should-be-business-as-usual