The Office of the Australian Information Commissioner (OAIC) publishes statistical information on a half-yearly basis that relates to Australia's NDB scheme to assist entities and the public to understand its operation. The latest Notifiable Data Breaches Report (NDB Report), published on 23 August 2021, provides an overview of the NDBs that occurred in the first half of this year. It builds on the findings of the July to December 2020 NDB Report that was released in January 2021.
Notifiable Data Breaches Report findings
Broadly, data breach notifications received by the OAIC between January and June this year have decreased by 16% compared with the previous six months. They are down 11% compared with the January to June 2020 NDB Report. In keeping with trends in previous reports, health service providers remain the most targeted sector (19% of all notifications), followed by the finance sector (13%). Interestingly, while the majority of entities (72%) notified the OAIC within 30 days of becoming aware of an incident, 27 entities took longer than 120 days from when they first became aware of an incident to notify the OAIC. The OAIC has not provided further insights into the reasons for these delays.
While the number of reported data breaches arising due to human error is down as compared with the previous report (from 38% to 30%), the majority of breaches continue to arise from malicious or criminal attacks (65% of all breaches). However, the Australian Information Commissioner has cautioned organisations to 'not forget the human factor also plays a role in many cyber security incidents, with phishing being a good example.' In our experience, a phishing email is often the precursor to a ransomware event and therefore regular and effective staff cyber security training should remain a top priority for organisations.
Ransomware on the rise
Of the malicious or criminal attacks that were reported to the OAIC, 66% involved a cyber security incident. Indeed, 43% of all data breaches reported to the OAIC involved a cyber security incident. Of note in these figures is the rise of ransomware attacks in Australia. Data breaches arising from ransomware incidents have increased by 24%, from 37 notifications last reporting period to 46 in the latest report. Australian Information Commissioner and Privacy Commissioner Angelene Falk highlighted this development as cause for concern, particularly when considering the difficulty of assessing whether a ransomware attack constitutes an NDB.
During the January to June 2021 reporting period, a number of entities assessed that a ransomware attack did not constitute an ‘eligible data breach’ due to a ‘lack of evidence’ that access to or exfiltration of data had occurred. The OAIC has made it clear in this report that entities are still expected to conduct an assessment under section 26WH of the Privacy Act 1988 (Cth) (Privacy Act) if there are reasonable grounds to suspect that there may have been an eligible data breach. This is the case even if the entity is not aware that there are reasonable grounds to believe (i.e. conclude) that the relevant circumstances amount to an eligible data breach.
The NDB Report emphasises that an entity cannot rely on the absence of evidence of access to or exfiltration of data to determine that an eligible data breach has not occurred. It follows, therefore, that even though an entity may not be able to conclusively determine that a malicious actor has accessed, viewed or exfiltrated data stored within a compromised network, there will generally still be reasonable grounds to believe that an eligible data breach may have occurred. This, in turn, will enliven the ‘eligible data breach’ assessment requirements under section 26WH of the Privacy Act.
Given the increasing threat of ransomware attacks, the OAIC has provided guidance for entities in maintaining appropriate internal practices, procedures, and systems with respect to section 26WH assessments. Best practice includes:
- having appropriate audit and access logs;
- using a backup system that is routinely tested for data integrity;
- having an appropriate incident response plan; and
- considering engagement of a cyber security expert at an early stage to conduct a forensic analysis should a ransomware attack occur.
The management of ransomware events is likely to become even more complex as the legal position evolves in Australia and internationally, as discussed below.
Increasing risk of impersonation fraud
In response to a number of breaches recorded in the most recent NDB Report, the Commissioner also emphasised the importance of vigilance against impersonation fraud. Impersonation fraud involves a malicious actor impersonating another individual to gain access to an account, system, network or physical location. The OAIC generally considers impersonation fraud to be an eligible data breach under the NDB scheme where the personal information the entity holds is accessed by a third party and results in a likely risk of serious harm. This will be the case even when the malicious actor may have already held some of the personal information, as the incident will still constitute unauthorised disclosure of the affected individual’s personal information. The Commissioner observed that:
The growth of data on the dark web unfortunately means that malicious actors can hold enough personal information to circumvent entities’ ‘know your customer’ and fraud monitoring controls … Entities should continually review and enhance their security posture to minimise the growing risk of impersonation fraud.'
With this in mind, organisations are encouraged to consider:
- having robust identity verification processes in place and adapting them to mitigate emerging impersonation fraud threats;
- training staff in identity verification processes as well as how to report and escalate fraud;
- implementing multifactor authentication;
- automatically notifying customers when changes are made to their account or if there are failed authentication attempts.
Reform on the horizon?
With the increasing prevalence of ransomware attacks, we expect to see legislative reform in the near future. On 21 June 2021, Shadow Assistant Minister for Cyber Security, Tim Watts, introduced in Federal Parliament the Ransomware Payments Bill 2021 (the Bill). This comes in the wake of the Department of Home Affairs secretary, Mike Pezzullo, foreshadowing a mandatory notification scheme in Senate Estimates in May this year. Currently before the Senate, the Bill (if passed) would require public and private entities (excluding small businesses) to report any ransomware payments to the Australian Cyber Security Centre (ACSC). The Bill would also permit the ACSC to disclose any of the information contained in a notification it receives to any person (including the public) for the purpose of informing the recipients about the current cyber threat environment and also to law enforcement agencies. Described in the Explanatory Memorandum as an ‘important foundation for a comprehensive national ransomware strategy’, it is a clear indication that countering the threat of ransomware is an increasing priority for the federal government.
MinterEllison provides full-service IT legal and consultancy services with extensive experience in privacy, data protection and software and IT service procurement. Our team can assist you in understanding your obligations under the Privacy Act and other privacy-related laws, in designing and maintaining cyber security and data management best practice, and in early engagement with privacy and data security legislative reform.
Contact us for more information.