With the commencement of the Notifiable Data Breach Scheme (NDB Scheme) on 22 February 2018, the Office of the Australian Information Commissioner (OAIC) has been capable of collecting substantial and meaningful information on data breaches that occur in Australia. Prior to the NBD Scheme, most data breaches in Australia went unreported, which meant there was a lack information available about data security risks.
The OAIC recently released its second quarterly report (the Report) on notifications received under the NDB Scheme for the period 1 April to 30 June 2018. The Report contains valuable information about the data security risks that organisations face, and allows organisations to make better informed decisions to manage these risks.
As we explain in this update, “human error” stands out as a key area of risk that organisations can reduce by implementing a privacy compliance framework with practical processes and systems for its staff to follow.
NDB Scheme at a glance
The NDB Scheme requires organisations to notify the OAIC (and affected individuals) of an eligible data breach (EDB), which occurs when personal information held by an organisation:
a) is subject to unauthorised access or disclosure; and
b) such access or disclosure is likely to result in “serious harm” to an individual, be it harm of a physical, psychological, emotional, financial or reputational nature.
If organisations fail to comply with the NDB scheme, they can incur significant penalties of up to $2.1 million, in addition to adverse publicity and reputational damage. You can read more about the NDB Scheme in our February article, here.
Key insights from the report
• The majority of reported Australian data breaches (59%) were caused by malicious or criminal attacks
• Cyber-incidents account for 40% of total notified data breaches
• Phishing (compromised credentials) is the highest known cause for cyber-incidents at 28% of total notified data breaches
• Human error remains a major source of data breaches at 36% of total notified breaches
• The top five industry sectors that reported data breaches were health service providers (20%), financial institutions (15%), professional services (8%), education (8%) and business and professional associations (6%)
Malicious attacks the major cause of data breaches
During the quarter, the OAIC were notified of 242 EDBs with a majority (59%) of these being caused by malicious or criminal attacks. Further, 40% of all breaches emanated from deliberate attempts at exploiting an organisation’s known IT security vulnerabilities which includes phishing (compromised credentials), malware, ransomware, brute-force attack or hacking.
Organisations must ensure that they implement and maintain adequate security measures to protect data from cyber-attacks and physical theft.
Human error remains a major source of data breaches
During the second quarter, the OAIC were notified of 85 EDBs that were attributable to human error, which represents 36% of total notified breaches. A breakdown of the data breaches caused by human error follows:
The number of EDBs and the average number of affected individuals for key sources of data breaches:
Personal Information sent to unintended recipient (40 EDBs; 42 individuals affected on average)
Unauthorised disclosure (unintended release or publication) (12 EDBs; 216 individuals affected on average)
Loss of paperwork/data storage device (9 EDBs; 1199 individuals affected on average)
Failure to use BCC when sending email (7 EDBs; 571 individuals affected on average)
Insecure disposal of personal information (5 EDBs; 69 individuals affected on average)
Unauthorised disclosure (intentional) (3 EDBs; individuals affected on average: data not available)
Other (12 EDBs; 440 individuals affected on average)
In contrast to malicious or criminal attacks (which are perpetrated by third parties who are usually outside an organisation’s sphere of control), organisations do have the ability to influence and/or control the behaviours and actions of its staff. Although it may not be possible to entirely eradicate human error, organisations should implement a privacy compliance framework with clear processes and procedures for staff to follow to significantly reduce the risk of human error causing an EDB.
For example, a privacy compliance framework could include processes that:
1. avoid single points of failure, such as requiring two employees to check that the ‘blind carbon copy’ (BCC) function is used correctly before sending any external group emails;
2. ensure personal information is de-identified or destroyed when it is no longer required;
3. ensure staff and relevant contractors are trained on the organisation’s privacy obligations and how to identify potential data security risks; and
4. requires the privacy officer and key stakeholders to undertake periodic privacy compliance audits.
Organisations should have, as part of a broader privacy compliance framework, a “data breach response plan” with clear roles and responsibilities assigned to staff to contain, assess, evaluate, and if necessary, notify affected individuals and the OAIC of an EDB. A robust plan will not only minimise the impact of the breach, it will help achieve compliance with the NDB Scheme.
CIE Legal advises businesses on privacy compliance and helps them implement policies and procedures to comply with the Privacy Act (and the NDB Scheme). If you would like assistance to comply with the NDB Scheme, or need advice on how to handle a data breach, please contact us.