As the third anniversary of the introduction of the scheme approaches, the Office of the Australian Information Commissioner (OAIC) has published its bi-annual report on the Notifiable Data Breaches (NDB) scheme. This reveals ongoing trends and provides some further guidance on the OAIC’s views of effective breach responses.
Between 1 July and 31 December 2020, a total of 539 eligible data breaches were notified to the OAIC, up 5% on the previous 6 months. The key causes remain human error (which caused 38% of all breaches) and malicious or criminal attacks (58%). The health sector remains the sector reporting the highest number of breaches and the Australian Government has entered the top 5 sectors for notifications. The OAIC has reflected on the privacy risks that working from home arrangements as a result of COVID-19 restrictions has had with a notable increase of data breaches resulting from human error. However, it is too early to form any firm conclusions.
Malicious or criminal attacks (which include cyber incidents, social engineering and rogue employees or insider threats) and human error continue to dominate the key causes of data breaches notified to the OAIC for the period. The majority of these attacks involved cyber incidents from unauthorised access to accounts using compromised or stolen credentials, with email-based phishing still one of the greatest security vulnerabilities for organisations.
The human factor continued to be a major cause of breaches rising 18% from 173 notifications to 204 (in particular in the health sector). These errors are still often simple, such as sending personal information to the wrong email address, accidental release/ publication, and a failure to use the blind carbon copy (BCC) function when sending emails to large groups of people. These errors, whilst simple, can impact large numbers of people. Unauthorised disclosure affected an average of 20,117 individuals per breach.
Time taken to notify: the OAIC has observed a significant variation in the time taken by entities to notify, which should be as soon as practicable after concluding that an eligible data breach has happened and within the prescribed 30 day period. It emphasises the importance of timely assessment and notification which helps individuals to make informed decisions about and take timely steps for protecting themselves. Any delay must be reasonable and justified in the circumstances.
Content of notification: the OAIC has found some notices to be deficient and did not enable the individuals to understand the risks. It reiterated the information that must be provided which includes: a clear explanation of the eligible data breach and types of personal information impacted as well as recommendations about steps the individuals should take.
What does a good breach response look like?
The OAIC highlighted a particular example of a good data breach response and assessment across a total of 35 days. This included:
- immediate action to stop the breach (lock down of affected accounts)
- prompt engagement of expert forensic advisors to investigate
- quickly making a risk assessment based on preliminary findings
- giving an initial notice about the eligible data breach to affected individuals which the forensic investigation concluded
- confirm the extent of the data breach and whether the data had been viewed or exfiltrated
completing the assessment of risk of serious harm
- engaging a third party to provide support to affected individual
- completion of the breach response within 35 days
- contacting relevant agencies responsible for government identifiers that were affected; and
- provide a final tailored notification to the OAIC and affected individuals identified as at risk of serious harm.
Organisations should be taking the following measures and reminders to address the risks highlighted by the report:
- Address human error: organisations must continue to address human error in relation to emails in particular as the frequent root cause of data breaches through steps such as increased and ongoing staff training, simulations and supporting a culture of ownership for data protection and compliant information handling processes.
- Be prepared: the OAIC expects organisations to have appropriate systems and processes in place to effectively detect, contain, assess, notify and review data breaches and to comply with their notification obligations in a timely manner and avoid unnecessary delay.
- Invest in robust Privacy by Design methodologies: this includes conducting a comprehensive audit of internal business processes in order to identify common or potential breaches and how to respond and minimise the risk of these breaches occurring.
A new cyber breach reporting framework on the horizon
The Security Legislation Amendment (Critical Infrastructure) Bill 2020 introduced in Parliament in December 2020 to uplift the security and reliance of Australia’s critical infrastructure. This will expand the scope of the Security of Critical Infrastructure Act 2018, to include 11 critical industries including data storage and processing health care and medical. This will mean additional risk management obligations as well as an obligation to also report cyber security incidents to the Australian Signals Directorate. This change is aimed at ensuring Australia’s approach to critical infrastructure evolves to maintain ongoing security and resilience in the current climate.
Privacy Act review
In addition, the Privacy Act Review that commenced in October 2020 will consider the impact and effectiveness of the NDB scheme now three years since its implementation.
We explore Australia’s 2020 Cyber Security Strategy and outline what investment and regulatory reform mean for your organisation.
We explore Australia’s 2020 Cyber Security Strategy, investment and regulatory reform.