One of the greatest challenges for organisations grappling with an evolving local and international privacy compliance landscape is a lack of available data on risks. The OAIC's second quarterly statistics report on the NDB scheme provides welcome information, but how should this data be analysed, and what are the key takeaways for organisations?
The NDB scheme commenced on 22 February 2018 with the implementation of the Privacy Amendment (Notifiable Data Breaches) Act (Cth). It inserted a new Part IIIC into the Privacy Act (Cth) requiring organisations to notify the OAIC and affected individuals of eligible data breaches (EDBs).
An EDB occurs when personal information held by an entity is subject to:
- unauthorised access or disclosure (or, where the information is lost, unauthorised access or disclosure is likely to occur); and
- a reasonable person (in the entity's position) would conclude the access or disclosure would be likely to result in serious harm to any of the individuals to which the information relates, unless an exception applies.
Malicious attacks increase, health and finance most affected
During the period 1 April to 30 June 2018, the OAIC recorded a total of 242 notifications of EDBs. This represents a significant increase on the 63 notifications previously recorded in the OAIC's first quarterly statistical report (although, this increase is partially explained by the fact the NDB commenced mid-quarter, and consequently data was only available for part of the first quarter). Moreover, if this number of notifications is extrapolated on an annual basis, we would expect around 1,000 notifications this year – which is an order of magnitude increase compared with the 114 voluntary notifications made in the financial year prior to the commencement of the NDB scheme.
While human error accounted for the majority of EDB during the first quarter (32%), and this figure held relatively steady in the second quarter (36%), malicious or criminal attacks emerged as the leading cause of EDB in the second quarter (representing 59% of all EDB).
Health service providers remained the top impacted industry, accounting for 49 EDB notifications received during the second quarter (up from 15 EDB notifications in the first quarter). Financial services overtook professional services (legal, accounting and management) to take second place in the second quarter, with 36 EDB reported. The health and finance sectors were also the most targeted industries for malicious or criminal attacks.
So, what can organisations learn from the report?
- Get educated – It appears a significant number of Australian organisations are seeking to comply with the new scheme, with the number of reported EDBs climbing. Organisations should therefore continue to comply with the NDB scheme and educate employees and contractors on the triggers for its application. If your organisation doesn't already have a tailored and well-rehearsed data breach response plan, now is the time to implement one.
- Review your data security – The increase in malicious and criminal attacks is concerning. While it is too soon to tell whether this is indicative of an increase in malicious or criminal activity generally, organisations should revisit the Australian Signals Directorate's Strategies to Mitigate Cyber Security Incidents to ensure they have adequate security in place to address targeted cyber intrusions.
- Improve your cyber resilience – While the data suggests the heath and finance industries are the most targeted for malicious or criminal attacks, it may also be that these sectors are more inclined to notify impacted individuals under the NDB scheme because of the nature of personal information held. In any event, executives in these industries should revisit their organisation's cyber resilience strategy in light of the OAIC's report.