Lessons learned during first 12 months of Notifiable Data Breaches scheme
Data breaches involving personal information may be prevented through effective training and enhanced systems, analysis of the first 12 months of mandatory notifications reveals.
Releasing the Notifiable Data Breaches 12-month Insights Report at the start of Privacy Awareness Week in Sydney today, Australian Information Commissioner and Privacy Commissioner Angelene Falk called on regulated entities to heed its lessons.
“By understanding the causes of notifiable data breaches, business and other regulated entities can take reasonable steps to prevent them,” Ms Falk told the Privacy Awareness Week Business Breakfast this morning.
“Our report shows a clear trend towards the human factor in data breaches — so training and supporting your people and improving processes and technology are critical to keeping customers’ personal information safe.
“After more than 12 months in operation, entities should now be well equipped to meet their obligations under the scheme, and take proactive measures to prevent breaches of personal information.”
“The requirement to notify individuals of eligible data breaches goes to the core of what should underpin good privacy practice for any entity — transparency and accountability.
“It’s also an opportunity for organisations to earn back trust by supporting consumers effectively to prevent or manage any potential harm that may result from a breach.”
The Notifiable Data Breaches scheme was introduced in February 2018. The Insights Report examines the first four quarters of statistics from the scheme, and shows that:
- 964 eligible data breaches were notified to affected individuals and the OAIC from 1 April 2018 to 31 March 2019:
- 60 per cent of breaches were traced back to malicious or criminal attacks
- The leading cause of data breaches during the 12-month period was phishing (people tricked into revealing information such as passwords) causing 153 breaches
- More than a third of all notifiable data breaches were directly due to human error
- That includes personal information being emailed to the wrong recipient, which caused 97 data breaches, or one in ten
- The remaining 5 per cent of all notifiable data breaches involved system faults.
- 168 voluntary notifications were also received by the OAIC, where the reporting threshold or ‘serious harm’ test was not met, or the entity was not regulated under the Privacy Act.
Ms Falk said her Office would continue to take a proportionate and evidence‑based regulatory approach to data breaches, exercising enforcement powers where necessary.
“Our focus during the first year of the scheme has been on raising awareness of how to prevent and respond to a data breach, and comply with the new requirements,” the Commissioner said.
“Over the past year we have worked with more than 1,000 organisations reporting a breach, either voluntarily or under the mandatory NDB scheme.
“Our priority has been to ensure the breach was contained and rectified, affected individuals were informed so they could act swiftly, and that measures were put in place to prevent a reoccurrence.
“This approach has been successful in elevating the security posture in those organisations and increasing transparent and accountable personal information handling practices.”
The Notifiable Data Breaches 12-month Insights Report can be downloaded from the OAIC website, along with the latest quarterly statistics report for January to March 2019.