Lessons from 12 months of notifiable data breaches in Australia

The notifiable data breach regime under the Privacy Act 1988 (Cth) has now been in place for a little over 12 months. Earlier this week the Office of the Australian Information Commissioner released a 12-month Insights Report which contains some interesting statistics and observations.

Statistics – notifiable data breaches

Extrapolating from the full-year statistics for the notifiable data breach scheme, it’s clear that in the foreseeable future we can expect large numbers of breaches to be reported to the OAIC and notified to individuals. To date, over 200 breaches have been reported to the OAIC in every full quarter since the scheme commenced.

In the full-year period from April 2018 to March 2019:

• 60% of notifiable data breaches arose from malicious or criminal attacks;
• 35% arose from human error (in the health and finance sectors, this percentage was notably higher); and
• 5% arose from system faults.

While human error is second in the above list, a majority of data breaches involved a human element. In the case of malicious attacks, this includes clicking on a link that results in the compromise of user credentials.

Indeed, “phishing” was the most common type of malicious breach reported. In a “phishing” attack an individual is contacted by email or text message by a fraudster posing as a legitimate institution (for example the individual’s employer or a supplier such as Microsoft) to encourage the individual to provide personal information or login/password details. The fraudster can then use these details to gain access to systems using the individual’s credentials.

Lessons for organisations

There are a number of useful things organisations can learn from this report, including the following:

• The OAIC cites evidence that suggests the average time between a data breach and the misuse of credentials is 9.55 days.

That means that if an organisation is able to identify a data breach and move quickly to address it, the organisation may be able to head off the misuse of credentials by a third party. Organisations should encourage staff who realise they have “clicked on something they possibly shouldn’t have clicked on” to report this as soon as possible, embarrassing as it may be to do so.

• If an organisation intends to notify a data breach to individuals it should consider the timing of the notification. For example if the notification recommends that individuals take a particular action to mitigate their risk, but that action cannot be taken over a weekend, it may be undesirable to issue the notification on a Friday afternoon as individuals may experience feelings of anxiety and helplessness over the weekend.
• Notifications to individuals need to be clear and direct. They should be in plain English and should not be internally inconsistent – for example it may be confusing if a notification states that the risk of harm is fairly low but then lists numerous actions that individuals could consider taking to reduce the risk.

The OAIC’s expectations and approach

The OAIC states in the report its expectation that organisations will act on the highlighted risks and take steps to prevent further data breaches. It expects that:

• All employees should be trained on how to detect and report email-based threats such as phishing. Best practice involves a dedicated training program including face-to-face training and e-learning.
• Preventative technologies such as multi-factor authorisation should be implemented.
• Organisations should review their data holdings and destroy or de-identify data they no longer require.
• Organisations should have a data breach response plan (see our earlier article) and conduct regular exercises to ensure their preparedness for a breach.

Finally, the report states that organisations should by now be aware of their obligations under the notifiable breach scheme.

While the OAIC’s approach in the first year of the scheme’s operation was largely to educate organisations about the scheme and how to avoid and manage data breaches, moving forward the OAIC “will consider regulatory action for organisations that fail to respond appropriately” to a data breach.