One year on from Australia's Notifiable Data Breach scheme

8 minute read 19.05.2019 Tess McGuire, Veronica Scott, Alex Horder, Aaron Bicknell

A year on from the introduction of Australia's NDB Scheme, the OAIC finds that data breach notifications have increased by over 700% with the health and finance sectors most affected.

Key takeouts

The Office of the Australian Information Commissioner (OAIC) has released its most recent quarterly data breach statistics report, as well as an Insights Report on the first 12 months of the Notifiable Data Breach (NDB) scheme

According to the OAIC, the key to managing data breaches is preparing for them – organisations who know what data they hold, where it is and who have a data breach response plan, are best placed to meet their obligations

Since the introduction of the NDB scheme, there has been a 712% increase in data breach notifications (which include voluntary notifications), with consistent trends for the most impacted sectors and causes of data breaches. This suggests organisations understand their notification obligations but the root causes of data breaches still need to be addressed and managed

To coincide with Privacy Awareness Week (PAW), the Office of the Australian Information Commissioner (OAIC) last week released its:

Quarterly Statistics Report for 1 January – 31 March 2019; and
12-month Insights Report, which was launched by the Australian Information and Privacy Commissioner at the OAIC's Business Breakfast for the start of PAW 2019. The report examines the first year's statistics on the Notifiable Data Breach (NDB) scheme and collates emerging trends (Report).

Here, we highlight and consider some of the key themes of and more interesting trends identified in the Report. The introduction of the NDB scheme was a significant development in Australia's privacy regime, applying to all organisations subject to the data protection obligations in Privacy Act 1988 (Cth) (Privacy Act). In an era of increasing and mass collection of data and personal information, the NDB scheme serves as a safeguard for consumers by requiring organisations to take steps to assess, remediate and report data breaches and alert those affected so they can take their own measures to mitigate the harm, where protections have failed.

The most common causes of data breaches are malicious attacks and human error

Malicious and criminal attacks were the main sources of data breaches in the NDB scheme's first year of operation, representing 60% of all reported breaches. This highlights the challenges organisations face in addressing the cyber security risks and threats. The OAIC reports that of these data breaches, 68% are attributed to common cyber threats such as phishing, malware, ransomware, brute-force attacks, compromised credentials, and other forms of hacking. However, most of these malicious breaches still had a human error component, which contributed to the breach such as a phishing attack in which an employee would click on a link in an email that caused malware to be downloaded.

Overall, 35% of data breaches were attributed solely to human error. The most prominent human errors recorded were every day incidents such as personal information being sent to the wrong recipient, incidents of unauthorised disclosure, and where there is loss of paperwork or a data storage device.

These statistics send a strong message to organisations to continually train and remind staff that they are all responsible for being alert to cyber threats. They also need to know how to deal with them safely, as well as how to carefully handle personal information in a way that minimises the risk of human error causing a data breach. Given the effect and prevalence of human error in data breaches, organisations will need to consider how to manage the potential for employees to facilitate malicious attacks including through the use of technology and monitoring of their activities, within the boundaries of the law, in relation to their access to critical IT systems.

Organisations also need to actively assess the risks and specific threats to their data assets and remediate potential or apparent vulnerabilities in their IT security. The new APRA Prudential Standard CPS 234 makes IT security for APRA regulated entities a board responsibility.

Health and finance sectors are most vulnerable to data breaches

The health and finance sectors reported the most data breaches over the past year. This shows their risk profile is higher. The finding reflects the highly sensitive and valuable personal information that organisations in these industries hold. In both sectors, human error was a cause of the data breaches at an above average level. It was the leading cause of 55% of data breaches in health and 41% in finance, compared to 35% across all sectors. These statistics sound an important alert to organisations in these industries that systematic improvements towards the organisation's culture of handling personal information may be necessary.

Low numbers of individuals affected by each data breach

Although there has been prominent media coverage of various data breach incidents, most data breaches impacted fewer than 1,000 people. The Report states that this reflects poor workplace practices that lead to scenarios where one employee handles information in a way that causes dozens of records to be breached, rather than single system compromises resulting in high-volume data loss incidents. Where a data breach does result in a large number of individuals being affected, it is often in a multi-party breach scenario. In the past year, there were 73 notifications of data breaches that affected between 1,001 – 5,000 people and which we expect will have included notifications from the Page Up data breach.

Put individuals first in assessing and notifying data breaches

The Report provides insights from the CEO of IDCARE, Professor David Lacey, on how organisations can be seen in a positive light following a data breach. Key to this is starting with the assumption that affected individuals could be harmed by the breach. This shifts the focus of the response from minimum compliance with obligations towards the individual's interests.

It is also important for organisations to consider the wording and timing of notifications and how they could impact, or even harm, the recipients. Professor Lacey noted that where organisations issued breach notifications on a Friday, and required actions to be taken that couldn't be done over the weekend, it can lead to recipients feeling helpless. When wording the notifications, transparency and simplicity are key. Organisations should avoid statements that give mixed messages; for example, claiming the risk of harm is low but then giving a long list of recommended response actions.

Multi-party data breaches cause confusion for everyone

When a notifiable data breach affects multiple parties, the NDB scheme requires that only one affected entity need issue the necessary notifications. To execute this smoothly and to ensure consumers are not confused and bombarded with notifications, the OAIC recommends that the organisation with the most direct relationship with and connection to the consumer should notify. However, organisations may differ in their views about notification or who should notify.

The Report highlights the case study of last year's PageUp data breach, which resulted in more than 50 notifications to the OAIC from PageUp and its customers. Some individuals also received notifications from many of PageUp's clients, causing widespread concern and confusion.
The OAIC recommends that organisations manage this by implementing data breach response plans ahead of time, which should address the investigations, assessment, management and notification of data breaches and reporting in multi-party breaches. Given the increasingly interconnected data supply and vendor chain, time spent addressing these issues in contract provisions between customers and their vendors and sub-contractors is well spent and has been identified by OAIC as a key area for improvement.

Assessing 'serious harm': the benefits and challenges

According to the OAIC, assessing whether a data breach is an 'eligible data breach' (which requires an assessment of whether the data breach is likely to result in serious harm to affected individuals) is designed to be flexible, so that organisations have scope to make a decision in the circumstances. However, the challenge for organisations is understanding the OAIC's expectations about the type of scenarios it considers would meet the 'serious harm' test. This has meant that, to be on the 'safe side', some organisations may report a data breach that is not (or not yet) notifiable. This has the potential to cause notification fatigue and confusion.

The OAIC noted that it had received a total of 1,132 notifications (between 1 April 2018 and 31 March 2019) which comprised 964 eligible data breaches and 168 voluntary notifications. Voluntary notifications are defined as 'breaches not deemed ‘eligible data breaches’ under the NDB scheme, usually because the threshold has not been reached or the reporting entity is not bound by the Privacy Act'. The Privacy Commissioner commented in launching the Report that these notifications included organisations which were not subject to the Privacy Act. Therefore this suggests that some of these voluntary reports may have been assessed by the organisations as notifiable but in fact were not, or they chose to notify for other reasons. Further clarity from the OAIC would help both practitioners and their client organisations.

International shift towards protecting privacy

The NDB scheme is complemented by a broader global landscape that is moving towards regulating the notification of data breaches and resulting in stronger cross-border cooperation by regulators. Notably, the European Union's General Data Protection Regulation (GDPR) came into effect in May 2018 and introduced a new strict 72-hour mandatory data breach notification reporting regime. This becomes relevant for organisations that have an international presence – whether through clients they contract with or have branches, subsidiaries, agents or customers located in Europe or other countries and who may be impacted by a data breach. Where a data breach has been reported under an international regime, but organisations are uncertain whether it constitutes an eligible data breach, the OAIC encourages organisations to engage with it to assist in making a determination.

Finally, although the Commissioner has broad scope to initiate investigations of any act or practice that may be an interference with the privacy of an individual or a breach of Australian Privacy Principle 1, the Report does not detail whether any investigations have commenced following notification (or even failure to notify) a notifiable data breach.

Overall, the first year of the NDB scheme's operation has certainly seen an increased awareness of notification obligations, and will hopefully lead to improved data management practices throughout Australia as we learn more from notifications and the experiences of other organisations.

Need help?

Preparation is key. For organisations that are subject to the Privacy Act, the one year anniversary of the NDB scheme is a good opportunity to review and test your data breach response plans (or develop one if you don't).

We can assist with a review, advise on steps you can take to manage a data breach, and offer further information regarding the new requirements for APRA regulated entities in this area. Our IT consultancy team, ITNewcom, can assist you with technical concerns and requirements relating to your data security systems.

Finally, take a look at our 2019 Perspectives on Cyber Risk Report for further insights on managing cyber threats and looking to the future of the impact of AI.