Australian data breaches involving personal information may be prevented through effective training and enhanced systems, analysis of the first 12 months of the Notifiable Data Breaches (NDB) scheme has revealed.
The report, Notifiable Data Breaches 12-month Insights Report, highlights the ‘human factor’ in data breaches, with more than a third of data breaches reported due to human error.
In February 2018, the NDB scheme introduced new obligations for Australian Government agencies and private sector organisations that have existing information security obligations under the Privacy Act 1988 (Cth).
Under the scheme, it is a legal requirement for entities to carry out an assessment whenever they suspect that there may have been loss of, unauthorised access to, or unauthorised disclosure of personal information that they hold. If serious harm is likely to result, they must notify affected individuals so they can take action to address the possible consequences.
They must also notify the Office of the Australian Information Commissioner (OAIC).
Australian Information Commissioner and Privacy Commissioner Angelene Falk has called on regulated entities to heed the lessons within the report, saying “By understanding the causes of notifiable data breaches, business and other regulated entities can take reasonable steps to prevent them.”
“Our report shows a clear trend towards the human factor in data breaches — so training and supporting your people and improving processes and technology are critical to keeping customers’ personal information safe.Australian Information Commissioner and Privacy Commissioner Angelene Falk
“After more than 12 months in operation, entities should now be well equipped to meet their obligations under the scheme, and take proactive measures to prevent breaches of personal information,” said Ms Falk.
“The requirement to notify individuals of eligible data breaches goes to the core of what should underpin good privacy practice for any entity — transparency and accountability. It’s also an opportunity for organisations to earn back trust by supporting consumers effectively to prevent or manage any potential harm that may result from a breach.”
The insights report examines the first four quarters of statistics from the NBD scheme, and shows that:
- 964 eligible data breaches were notified to affected individuals and the OAIC from 1 April 2018 to 31 March 2019:
- 60 per cent of breaches were traced back to malicious or criminal attacks
- The leading cause of data breaches during the 12-month period was phishing (people tricked into revealing information such as passwords) causing 153 breaches
- More than a third of all notifiable data breaches were directly due to human error – including personal information being emailed to the wrong recipient, which caused 97 data breaches, or one in ten
- The remaining 5 per cent of all notifiable data breaches involved system faults.
168 voluntary notifications were also received by the OAIC, where the reporting threshold or ‘serious harm’ test was not met, or the entity was not regulated under the Privacy Act.
Ms Falk said her Office would continue to take a proportionate and evidence‑based regulatory approach to data breaches, exercising enforcement powers where necessary. “Our focus during the first year of the scheme has been on raising awareness of how to prevent and respond to a data breach, and comply with the new requirements.
“Over the past year we have worked with more than 1,000 organisations reporting a breach, either voluntarily or under the mandatory NDB scheme.Our priority has been to ensure the breach was contained and rectified, affected individuals were informed so they could act swiftly, and that measures were put in place to prevent a recurrence,” the Commissioner said.
“This approach has been successful in elevating the security posture in those organisations and increasing transparent and accountable personal information handling practices.”
The Notifiable Data Breaches 12-month Insights Report can be downloaded from the OAIC website, along with the latest quarterly statistics report for January to March 2019.