Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Mapping data breach notification

Presentation by Timothy Pilgrim, Privacy Commissioner, at iappANZ data breach panel discussion, Sydney, 6 May.

I would like to begin by acknowledging the traditional owners of the land on which we meet today, and to pay my respects to their elders, both past and present.

It’s great to be here for Privacy Awareness Week, especially with so much going on in the world of privacy already this year.

Privacy is rarely out of the news these days. The media continues to report on exciting new technologies as well as on activities that raise privacy questions and fuel debate.

As a society we are increasingly connected and more complex interactions and questions are coming up every day. In a world of increasingly complex technological solutions to information management, data breaches are becoming more and more common, and the damage that they can cause is becoming more far-reaching and serious.

The cost of data breach

This is supported by research, in particular, the 2013 Ponemon study into the cost of data breaches in Australia[1] which showed that the cost of data breaches to companies is increasing, and that data breaches caused by a malicious or criminal attack are increasing. The Ponemon study shows that there was a 23% increase in the average total cost of data breaches to organisations from 2011 to 2012 — the average total organizational cost of data breach in 2012 was $2.71 million. It is clear that data breaches have the least financial impact on organisations that have a data breach plan in place, on organisations that respond quickly, and on organisations that employ specialists in this field, such as having a Chief Privacy or Information Security Officer.

How data breaches happen?

Data breaches can occur in many ways. It may be a lost or stolen laptop or portable storage device, a misplaced file, a database being ‘hacked’ into or inadvertently published online, a staff member mistakenly providing information to the wrong person — the classic mail room error that catapults a respectable organisation and its Chief Executive Officer onto the front page of the newspaper.

The Ponemon report showed that:

  • 43% of organisations say the root cause of data breach was malicious or criminal attacks, up from 36% in 2011
  • 33% of breaches involved negligent employees or contractors
  • 24% of breaches were due to IT and business process failures.

As businesses increasingly look to more cost efficient information management solutions like cloud computing, all of these contributing factors become more of a concern. Good information security, robust businesses processes and up-to-date staff training are all key elements to maintaining the security of information.

You may have seen coverage of the recent Target data breach in the US. Fortunately, this didn’t affect any Australian customers, but this was a case where hackers stole the personal information of approximately 70 million people. This breach has led to a multi-jurisdiction investigation, and the introduction of a US Senate bill that seeks to improve how companies must protect customer data. A Reuters Ipsos poll showed that approximately 40% of the people who shopped at Target during the relevant period had not been notified. It is also worth noting that Target has said that its profits for the 4th quarter fell 46% due to this breach.[2]

As you would have seen in our office’s recent statement on information security — where information security is inadequate, being hacked will not necessarily be an excuse. Nor can you contract out of your privacy obligations, businesses remain responsible for the personal information that they have collected, even when they are using contracted services to handle that information.

The own motion investigation report into Multicard that was released last week is a perfect example of the importance of business processes that take account of privacy. In this instance, personal information was made publically available through a series of clear failures in basic information management and security.

The OAIC’s approach

Our office has experienced an increase in data breach notifications over the last year. In the 2013–13 year, we received 61 voluntary data breach notifications. In the current year so far we have received 50. This is in addition to the nearly 3000 complaints (which is an over 50% increase) on a range of privacy issues. This is reflective of a broader global trend — as governments and businesses become more reliant on electronic records and networked systems the risk of a breach occurring increases.

APP 11

If you are familiar with the APPs, which I’m sure you all are, you will know that APP 11, on information security, requires organisations that hold personal information to take reasonable steps to protect the information from misuse, interference and loss, and from unauthorised access, modification or disclosure.

Our office’s Guide to information security is also helpful here. The last section of the Guide sets out various strategies to ensure appropriate safeguards are in place to protect personal information. I won’t go into each of these now as they are outlined in the Guide and one page summary is available on our website. We will launch a revised version of the Guide to reflect the new APP 11 requirements shortly.

I have previously found, after investigation, that organisations were in breach of the Privacy Act by not taking reasonable steps to prevent a data breach involving a cyber-attack.

Regular review of information security measures is crucial, particularly given how regularly organisations change their processes, information, personnel, applications and infrastructure, as well as changing technology and security risks. Organisations must implement and maintain information security measures that respond to this changing landscape. I also expect that entities will regularly review the operation and effectiveness of the steps and strategies they have taken to protect personal information.

In the event of a data breach, an organisation may be found not to have ‘disclosed’ personal information under APP 6 if they have been hacked, but they may still be found in breach of APP 11 if they did not take reasonable steps to protect the information from unauthorised access.

That being said, we strongly encourage organisations to come to us for advice if they do experience a data breach. We recently released a new privacy regulatory action policy for consultation — some of you may have seen it — and we will soon release the finalised policy, incorporating the feedback that we received. The regulatory action policy clearly states that notification will not stop us from commencing an investigation if we feel that it is necessary and appropriate, but it also says that proactive notification of a data breach will be taken into account when considering whether regulatory action is necessary.

We also strongly encourage all organisations to make full use of our voluntary data breach notification guide, which provides detailed guidance on processes you can follow if you experience a data breach as well as outlining our expectations in regards to notification.

The Data breach notification guide and the Guide to information security, which we launched at last year’s business breakfast, are key publications for any organisation.

A collaborative approach to enforcement

The regulatory action policy states that our preferred regulatory approach is to work with entities to encourage compliance and best practice. This approach aims to help prevent contraventions and the subsequent need to investigate matters, or to take formal enforcement action.[3] The tools which we will use to encourage voluntary and best practice compliance include:

  • engaging with regulated entities to provide guidance, promote best practice compliance, and identify and seek to address privacy concerns as they arise.
  • engaging with regulated entities who voluntarily and proactively notify our office of a data breach incident, including by providing advice to the entity on containing and responding to the incident
  • conducting assessments of whether personal information is being maintained and handled in accordance with the APPs. Through these assessments, our office would identify privacy risks and areas of non-compliance, and may make recommendations for how the entity might reduce those risks or address areas of non-compliance
  • recommending an entity conduct a privacy impact assessment (PIA) where it proposes to engage in a new activity or function involving the handling of personal information about individuals, or when a change is proposed to information handling practices. As you may know, this week we launched an updated Guide to undertaking a privacy impact assessment, which provides an easy-to-follow ten-step process.

However, in the event that working with entities is not effective, our office has a range of regulatory responses available. The Commissioner is empowered to direct an entity to develop a code, to direct an agency to conduct a PIA, to conduct a privacy assessment, to make enforceable undertakings. We may initiate an investigation, conciliate or determine a complaint, and direct the production of a document or the taking of certain action. In the case of a serious or repeated breach of privacy, we may apply for civil penalties.

Conclusion

The key messages on this issue that we would like to share with businesses are that data breaches are inevitable reality of modern business. The only viable way to deal with this problem of the information age is to be prepared — being prepared will help you prevent a breach, will help manage any reputation damage if you do have a breach and will save you money in the long run. Maintaining best practice information security is good business sense — you need to mitigate the risk that a data breach could be caused by careless or inadequate processes at your end.

We will be collaborative in our regulatory approach — we want to help you achieve best privacy practice in order to limit both breaches and harm to individuals. But ultimately our role is to protect the public — in a situation where a business does not cooperate, or flagrantly ignores their obligations, we will not hesitate to take appropriate action.

Footnotes

[1] Ponemon 2013 cost of a data breach study: Australia (PDF): <http://www.symantec.com/content/en/us/about/media/pdfs/b-cost-of-a-data-breach-australia-report-2013.en-us.pdf?om_ext_cid=biz_socmed_twitter_facebook_marketwire_linkedin_2013Jun_worldwide_CostofaDataBreach>

[2] Data-breach costs take toll on Target profit <http://news.yahoo.com/data-breach-costs-toll-target-profit-123047290--finance.html>

[3] OAIC's privacy regulatory action policy (draft) <http://www.oaic.gov.au/privacy/privacy-engaging-with-you/previous-privacy-consultations/oaic-s-privacy-regulatory-action-policy/oaic-s-privacy-regulatory-action-policy-draft#_Toc381795792>