Malicious or criminal attacks the main cause of notifiable data breaches

The number of reported data breaches in Australia significantly increased in the period of 1 April to 30 June 2018, according to the second report on the Notifiable Data Breaches scheme by the Office of the Australian Information Commissioner (OAIC).  The scheme, which commenced on 22 February 2018, requires private sector and federal government entities to notify the OAIC and affected individuals of any breach of personal information that is likely to result in serious harm to an individual.

Each month since the Notifiable Data Breaches scheme began, the number of breach reports per month has risen.  This may suggest growing awareness by entities of their reporting obligations, increasing frequency of serious breach incidents, a trend towards over-reporting of breaches or perhaps some combination of these things.

Of the 242 notifications received since 1 April 2018 (compared to 63 in the period from commencement of the scheme to 31 March 2018), 142 notifications (or 59%) were primarily caused by a malicious or criminal attack with a further 88 breaches caused by human error.  However of the malicious or criminal incidents, many exploited human weaknesses such as clicking on a phishing email or disclosing passwords – suggesting that there is still plenty of scope for entities to further train their staff to avoid these pitfalls.

Somewhat surprisingly, physical theft of paperwork or data storage devices occurred in many malicious or criminal attack incidents.  Organisations should take note and review their physical security protocols.

One reported breach affected over 1 million individuals.  Large numbers of breaches involved data that was more than just individuals’ names and contact details – e.g. financial details (42% of breaches), government identifiers such as passport or driver’s licence numbers (39%) or health information (25%).  64 breaches have been reported by private health service providers since 22 February, of which 41% were malicious or criminal attacks.

The data bears out a point that is relevant to the current debate about whether individuals should choose to opt out of the My Health Records system: hackers value health information and are motivated to access it.

With the number of notifications steadily increasing, it’s crucial that Australian organisations are prepared to handle any (suspected) data breach.  Three key points we have been working with clients on are:

• Prevention – understand what data you have and where it is held, either by your organisation or a third party service provider. Develop and maintain a properly resourced set of policies, procedures and roles that ensure data is handled in accordance with business and legal requirements, and have leadership and senior management pro-actively review, update and enforce these.
• Preparation – develop and maintain a Data Breach Response Plan that details steps to follow if a privacy breach occurs (or is suspected), to ensure those responsible for handling the breach know what to do and can do it quickly.
• Reporting – should breach notification be required, clear and prompt communication that complies with the law is essential. Having template communications ready to go is desirable.  We have also been working with clients to improve their contractual arrangements with third party service providers who hold data for them, to ensure the service provider fully co-operates in a breach situation and there is clarity about who will control the breach notification process.

A copy of the OAIC’s report can be found on the OAIC’s website (www.oaic.gov.au).

Authored by:
David Smith, Partner
Adam Walker, Partner
Alida Vandewiele, Associate