The Office of the Australian Information Commissioner (OAIC) regularly publishes reports on data breaches that have been reported to the commission under the Notifiable Data Breaches scheme.
This scheme was established in 2018 to improve protection of identifiable consumer information and improve the security standards for protecting personal information. Under the scheme, any organisation covered by the Privacy Act 1988 (Cth) must notify individuals affected by a data breach when harm to that person is the likely outcome of the breach and must also notify the OAIC of this type of data breach.
The OAIC reports analyse why data breaches occur and what industries they occur in. The Report for the first half of 2021 was based on 446 notifications of data breaches and highlighted that:
- malicious or criminal attacks are currently the leading sources of data breaches, accounting for 64% of the total data breaches
- data breaches caused by human errors made up 30% of the total data breaches, with 40% of those breaches resulting from personal information being sent to the wrong recipient
- the health industry continues to report the highest breach notifications making up 19% of all breaches, followed by the finance industry which was responsible for 13% of breach notifications
- most data breaches (91%) involved sharing of contact information, such as name, address, email address and phone number, and identity information, such as date of birth and passport details was involved in 55% of data breaches.
What causes data breach
Data breaches occur when personal information is obtained either by accident or maliciously. The Report found that data breaches occurring as a result of human error most commonly occurred where there was:
- information sent to the wrong person
- a failure to use BCC in an email
- unintentional publication of information
- loss of paperwork
Data breaches that occurred maliciously were the result of:
- compromised credentials
- theft of data
The Report also noted that data breach notifications where down 16% when compared to the last reporting period. We expect the OAIC will monitor any downward trend carefully to ensure it is the result of less breaches as opposed to organisations not complying with their reporting obligations.
As for the obligation to report data breaches, only eligible data breaches are required to be reported to the OAIC. A breach is not an eligible data breach where:
- an entity takes action in relation to the loss, unauthorised access to or unauthorised disclosure of personal information before it results in serious harm to an individual; and
- a reasonable person who is properly informed based on the information immediately available would conclude that the action makes it unlikely that serious harm would be suffered by any of the affected individuals.
The OAIC can issue sanctions where there is a failure to comply with the mandatory reporting obligations including issuing significant fines and enforceable undertakings
Organisations should know their responsibilities in relation to data breaches under the Privacy Act. A plan should be in place to respond quickly to any data breach in order to comply with the Act and minimise any damage or loss to individuals and the reputation of the organisation.
If your organisation needs any assistance or advice with privacy matters, data breaches or preparing a data breach response plan, call Griffin Legal on 02 6198 3100.