OAIC's NDB Report key commentary and insights
Alongside the breakdown of data breach statistics, the Commissioner provided guiding commentary and case studies that serve as useful insights and takeaways.
With more power comes greater expectations
Established in February 2018, the NDB scheme is now considered a 'mature' model by the OAIC. The Commissioner outlined her expectations that entities must now have strong information security practices in place as well as 'processes to ensure a timely response and compliance with the requirements of the scheme should a data breach occur.'
The amendments to the Privacy Act introduced in in December 2022 have given the Commissioner new and increased regulatory powers. Amongst the changes, the Commissioner now has the power to compel the provision of information and documents related to a suspected or actual eligible data breach (s 26WU). In the NDB Report, the Commissioner referred to the fact these powers have already been used in the first half of the year.
Time is of the essence
Section 26WH of the Privacy Act requires entities to take all reasonable steps to complete suspected eligible data breach assessments within 30 days. The Commissioner observed that 26% of entities did not meet this target. Delayed reporting times were attributed to entities adopting a 'fixed method' or 'sequential' approach to assessing and responding to data breaches. Businesses should take a flexible and adaptive approach to conducting 'reasonable' and 'expeditious' assessments. Steps to action a data breach plan are recommended to be taken in parallel or in quick succession. Businesses should also perform dynamic assessments of whether every step is necessary, or whether some stages can be combined or re-ordered for the most efficient assessment process.
Remain vigilant
Almost 1 in 5 of all data breaches over the past 6 months were the result of social engineering or impersonation. The Commissioner warned that the increased number of large-scale data breaches from previous years elevates the risk of the 'mosaic effect'. This is where small pieces of information from different data breaches provide significant information about an individual when aggregated from across different sources, including the dark web. This enables cyber criminals to impersonate individuals and access a number of systems of accounts, through the use of old passwords or even a predictable pattern of password updates. Businesses must foster a security and privacy aware culture through information governance, training and implementing multiple forms of identity management and authentication for both customer and staff accounts.
When in doubt play it safe and report
The Commissioner emphasised that the NDB scheme is designed to promote notification. When unable to confirm the extent of unauthorised access or whether data has been exfiltrated, businesses should take a cautious approach and report. When unable to verify the extent of a data breach, businesses are expected to work from the assumption that all personal information stored on affected systems has been compromised. It is also important to remember that notification must be undertaken (to the OAIC as well as affected individuals) promptly after the organisation has reasonable grounds to believe that a data breach has occurred.
Key takeaways for businesses
The OAIC now expects organisations to have a well established data breach plan in place, with the training and expertise to activate this expeditiously and flexibly in the case of a data breach. If there is uncertainty as to the extent of the breach and whether it falls under the NDB scheme, guidance should be sought MinterEllison provides full-service IT legal and consultancy services with extensive experience in privacy, cyber and data breach preparation and response.