Notifiable Data Breach scheme: the Australian Privacy Watchdog's latest figures

5 minute read  14.02.2019 Kosta Hountalas, Susan Kantor, Veronica Scott
The OAIC has released its latest Notifiable Data Breach reporting statistics. In this article we crunch the numbers and summarise the key highlights of and take-outs from the OAIC's report.

Key takeouts

  • Once again, the health service provider industry has topped the list for notifications under Australia's NDB scheme.

  • Organisations should focus on staff privacy and cyber training, as human error accounts for a large percentage of notified data breaches.

  • Human error accounted for a third of all notifications for the quarter, and was the second largest source of data breaches

 

The Notifiable Data Breaches (NDB) scheme has now been in place for nearly a year. The scheme applies to all organisations that are subject to the Privacy Act 1988 (Cth) (Privacy Act) and requires them to:

  • assess suspected 'eligible data breaches'; and
  • notify the Office of the Australian Information Commissioner (OAIC) and any affected individuals of an 'eligible data breach'.

The OAIC has recently published its fourth Quarterly Statistics Report for 1 October to 31 December 2018 (Report). These quarterly reports are based solely on information provided by reporting entities, and do not provide any commentary or guidance from the OAIC as to whether it considered the reported breaches to be 'eligible data breaches'.

Key highlights

The key highlights from the Report are:

  • A total of 262 notifications were made to the OAIC, up 18 from the last quarter (July to September 2018)
  • the percentage of notifications due to malicious or criminal attacks has almost doubled to 64% (and was the largest source of data breaches)
  • human error accounted for a third of all notifications for the quarter, and was the second largest source of data breaches
  • 60% of notifications involved the personal information of 100 individuals or less, similar to the last quarter
  • the disclosure of individuals' contact information was an issue in 85% of notifications.

Human error, malicious or criminal attacks and system faults were the three key causes of the notifications reported – reflecting that data security threats exist both inside and outside of organisations' networks. Cyber incidents reported were phishing emails (the most common type), compromised or stolen credentials, malware or ransomware, brute-force attacks, compromised or stolen credentials, and social engineering or impersonation.

Human error included unauthorised (unintended) disclosures of personal information, sending personal information to the wrong recipient (usually by email), loss of documents and the insecure disposal of personal information. According to the Report, human error giving rise to the unauthorised disclosure of personal information impacted the largest numbers of individuals (an average of 17,746 per breach).

Sector data

The key sector data for this quarter includes:

  • Health service providers were the highest reporting sector (with a total of 54 notifications, or 21%). More than half of these were due to human error in email communications
  • Of the notifications by health service providers, the most common cause was human error (54%)
  • The finance industry made 15% of all notifications, and 70% of these were due to malicious or criminal attacks which is a potential concern
  • The remaining notified breaches were made up of:
    • legal, accounting and management services (9%);
    • education (private) (8%); and
    • mining and manufacturing (5%).

© Office of the Australian Information Commissioner - Notifiable Data Breaches Quarterly Statistics Report: 1 October – 31 December 2018 

Trends for the first year of the NDB scheme and take-outs

After almost a full year of reported breaches, some trends have emerged.

The quarterly numbers are overall reasonably consistent (with the exception of the first report, which was not a full quarter). In 2018, 812 breaches in total have been reported to the OAIC. This is a significant increase from the previous year (when notifications were voluntary).

The health sector has consistently had the most notifications. However, this may be because:

  • by its nature, if health information is subject to unauthorised access or disclosure, it is more likely to result in serious harm for affected individuals; and
  • there is no small business exemption under the Privacy Act for health service providers. This means there are many more smaller health service provider entities subject to the NDB scheme.

In 2018, only 85 of the reported breaches affected more than 1,000 people, with almost half of these being reported in the most recent quarter. Despite what feels like daily media reports of large scale data breach incidents, the reports show that the majority of data breaches only affect smaller numbers of individuals. 

With the exception of the first quarter, the leading cause of reported breaches in each quarter has been malicious or criminal acts. The OAIC is now providing further detail of the causes for these attacks, with cyber incidents by far the leading cause in the most recent quarter. Sending emails to the wrong recipient also remains a common issue.

These results highlight the importance of organisations implementing and reinforcing their internal privacy procedures, governance, training and data security, as well as managing cyber risk. MinterEllison will be releasing its fourth annual Cyber Security Perspectives report in March this year, which will provide further insights into how organisations currently stand on cyber security. Human error can be managed, and the risk of data breaches reduced, with appropriate training, protocols and processes.

More insights in 2019?

While the Report is lengthy and breaks down the data, what we don’t yet have to help inform data breach responses and assessments are insights such as:

  • whether the OAIC considered all of the data breaches notified to be eligible data breaches;
  • whether many of the notifications were made by multiple entities;
  • how many complaints have been made as a result of the data breaches notified;
  • what types of affected data sets have been seen to cause a likelihood of serious harm;
  • what steps have been effective to help contain the data breaches and support affected individuals; and
  • although contact information is the primary affected data set, whether it a combination of the contact details with other data that has resulted in an assessment that there is a likelihood of serious harm.

Need help?

If you are a private sector organisation, a health service provider or a Commonwealth agency that is subject to the Privacy Act, speak to us about how best to implement appropriate privacy and data security strategies to minimise your organisation's risk of a breach, and what steps you can take to proactively deal with your notification obligations should a breach occur.

Contact

Tags

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiIzMDU2Y2ZmYS0xMGQ1LTQwZmQtOGM0MC1jODhiN2MzN2QyYWYiLCJyb2xlIjoiQXBpVXNlciIsIm5iZiI6MTczMzE4OTg0OCwiZXhwIjoxNzMzMTkxMDQ4LCJpYXQiOjE3MzMxODk4NDgsImlzcyI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL25vdGlmaWFibGUtZGF0YS1icmVhY2gtb2FpYy1yZXBvcnRpbmctc3RhdGlzdGljcy1wcml2YWN5LXdhdGNoZG9nIiwiYXVkIjoiaHR0cHM6Ly93d3cubWludGVyZWxsaXNvbi5jb20vYXJ0aWNsZXMvbm90aWZpYWJsZS1kYXRhLWJyZWFjaC1vYWljLXJlcG9ydGluZy1zdGF0aXN0aWNzLXByaXZhY3ktd2F0Y2hkb2cifQ.kCDnjzLhiX8lmP5PV1KYtNWOsx5CGGEiWyyso6rgtlI
https://www.minterellison.com/articles/notifiable-data-breach-oaic-reporting-statistics-privacy-watchdog