Artboard 1Icon/UI/CalendarIcons/Ionic/Social/social-pinterest

Notifiable data breach: Two years on and mostly ‘behind the scenes’

14 February 2020

#Data & Privacy

Published by:

Notifiable data breach: Two years on and mostly ‘behind the scenes’

This month marks two years since the introduction of Australia’s notifiable data breach (NDB) scheme.

The Office of the Australian Information Commissioner (OAIC) last reported on the NDB for the period April – June 2019 (see our report here), and it was then that the OAIC announced it would move to reporting on a six monthly basis, instead of quarterly. A report for July – December 2019 is likely to be released soon.

It is expected that thousands of breaches would have been reported by organisations to the OAIC since April 2018 but largely the detail of what makes them eligible, or not, remains unreported. Such insights would be helpful for organisations in their assessment of ‘likelihood of serious harm’ underlying the reportable breaches scheme. In terms of affected persons, it is interesting to recall that 83 per cent of the breaches in the first year affected less than 1,000 people.

In the lead-up to the next report from the OAIC, there have been strong suggestions that organisations can and should be doing more. In a speech to the International Association of Privacy Professionals (IAAP) ANZ conference in October 2019, Commissioner Angeline Falk foreshadowed that the OAIC may soon shift to exercising its enforcement powers if there was not a further commitment to best practice in combating data breaches and improving response strategies. Ms Falk signalled that there were already several matters (investigations of NDB non-compliance) in ‘the pipeline’.

At the same conference, Ms Falk also signalled that ‘international interoperability’ would be a big focus of the OAIC in 2020. This will be welcomed by many businesses who operate in a borderless environment and, above all, who would benefit from consistent laws or, at the very least, consistent best practice in the jurisdictions in which they operate.

In addition, Ms Falk talked about the OAIC’s work to make the human factor behind data breaches a joint focus with our international counterparts.

In all the reports the OAIC has released to date on the number of breaches reported to the OAIC since the introduction of the scheme, human error has been a leading cause behind data breaches. Such incidents might include failure to use BCC when sending email. In the last quarter reported by the OAIC, human error was the source of 34 per cent of reported data breaches as identified by notifying entities.

According to Ms Falk, in sourcing international experience, most data breaches involve a human factor, whether it’s sending an email containing personal information to the wrong recipient, or being the victim of a phishing email that opens the door to a cyber attack.

In 2018, a resolution proposed by the OAIC was co-sponsored by nine privacy and data protection authorities from across the globe and passed by consensus. It includes a call to action for organisations:

  • to recognise that personal data breaches often involve human error
  • to act to implement appropriate security safeguards against this known risk
  • to uplift security postures globally.

The above points would unlikely be resisted by most organisations and, if ignored, may threaten good corporate governance. As such, there remains significant opportunity for businesses looking to develop solutions and tools to minimise ‘the human factor’ leading to data breaches and to assist other organisations to combat this risk.

Therefore, at the anniversary of the implementation of the NDB scheme, it is a good time for businesses to be assessing not only what they currently are doing but what more they could be doing to prevent data breaches, including by minimising human error and increasingly scrutinising their privacy and data practices. As all businesses know, the cost of a data breach goes far beyond the threat of fines and other enforcement by regulators and right to the heart of whether its customers and suppliers can trust its brand.

Authors: Emily Booth

The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this newsletter is accurate at the date it is received or that it will continue to be accurate in the future.

Published by:

Share this