Mandatory notifiable data breaches in Australia 12 months on

May 20, 2019 |

Mandatory data breach notification has been law for over 12 months now.  The legislation is complex, convoluted and vague in parts but it does set out an obligation for organisations and agencies to notify the Information Commissioner of data breaches. As expected that has produced a volume of reported instances of data breaches in excess of those reported when reporting was voluntary there.  Based on overseas experience, where the obligations are more specific and the legislation less vague, the number of actual data breaches is far larger than those reported to the Information Commissioner. 

The Commissioner has released the Notifiable Data Breaches Scheme 12?month Insights Report.   

The Commissioner’s media statement provides:

Data breaches involving personal information may be prevented through effective training and enhanced systems, analysis of the first 12 months of mandatory notifications reveals.

Releasing the Notifiable Data Breaches 12-month Insights Report at the start of Privacy Awareness Week in Sydney today, Australian Information Commissioner and Privacy Commissioner Angelene Falk called on regulated entities to heed its lessons.

“By understanding the causes of notifiable data breaches, business and other regulated entities can take reasonable steps to prevent them,” Ms Falk told the Privacy Awareness Week Business Breakfast this morning.

“Our report shows a clear trend towards the human factor in data breaches — so training and supporting your people and improving processes and technology are critical to keeping customers’ personal information safe.

“After more than 12 months in operation, entities should now be well equipped to meet their obligations under the scheme, and take proactive measures to prevent breaches of personal information.”

“The requirement to notify individuals of eligible data breaches goes to the core of what should underpin good privacy practice for any entity — transparency and accountability.

“It’s also an opportunity for organisations to earn back trust by supporting consumers effectively to prevent or manage any potential harm that may result from a breach.”The Notifiable Data Breaches scheme was introduced in February 2018. The Insights Report examines the first four quarters of statistics from the scheme, and shows that:

  • 964 eligible data breaches were notified to affected individuals and the OAIC from 1 April 2018 to 31 March 2019:
  • 60 per cent of breaches were traced back to malicious or criminal attacks
  • The leading cause of data breaches during the 12-month period was phishing (people tricked into revealing information such as passwords) causing 153 breaches
  • More than a third of all notifiable data breaches were directly due to human error
  • That includes personal information being emailed to the wrong recipient, which caused 97 data breaches, or one in ten
  • The remaining 5 per cent of all notifiable data breaches involved system faults.
  • 168 voluntary notifications were also received by the OAIC, where the reporting threshold or ‘serious harm’ test was not met, or the entity was not regulated under the Privacy Act.

Ms Falk said her Office would continue to take a proportionate and evidence based regulatory approach to data breaches, exercising enforcement powers where necessary.

“Our focus during the first year of the scheme has been on raising awareness of how to prevent and respond to a data breach, and comply with the new requirements,” the Commissioner said.

“Over the past year we have worked with more than 1,000 organisations reporting a breach, either voluntarily or under the mandatory NDB scheme.

“Our priority has been to ensure the breach was contained and rectified, affected individuals were informed so they could act swiftly, and that measures were put in place to prevent a reoccurrence.

“This approach has been successful in elevating the security posture in those organisations and increasing transparent and accountable personal information handling practices.

In broad terms the number and focus of breaches are consistent with overseas experiences.  Health and financial institutions are sources of, cumulatively, the majority of data breaches involving human error.  Both sectors are involved in collecting, storing and using personal information on a daily basis.  The health sector has a generally poor privacy culture and many ways of accessing data without authorisation. Not suprisingly the majority of the breaches were due to malicious and criminal attacks.  Human error remains a very significant cause of data breaches.  That bespeaks poor privacy training.  It is also not surprising that the majority of data breaches involved contact information. 

The fact that the most common means of effecting a breach is phishing and spear phishing points to poor privacy training and systemic issues.  The Commissioner stated:

Notably, phishing and spear phishing continue to be the most common and highly effective methods by which entities are being compromised—whether large or small—in Australia or internationally.12 Within the period, a total of 153 data breaches were attributed to this method.Attackers typically use phishing to elicit credentials—usually a username and password—from a user to gain access to systems. Attacker techniques continue to evolve in this area, making phishing emails increasingly difficult to detect without sustained and focused user education.

and:

The predominance of human factors in data breaches emphasises the importance of education and training for all employees who handle personal information. Implementing technological solutions, such as multi?factor authentication or system requirements that force users to choose a strong password and change it regularly, are also valuable

The commentary regarding how to determine the seriousness of the harm highlights the unfortunate aspect of the legislation from a regulation perspective but the need to undergo a proper analysis by an organisation when there is a data breach.  The Commissioner has issued guidance, which does not have force of law, which is quite general.  In the report the Commissioner stated:

The prospect of serious financial harm resulting from breached financial information (such as credit card numbers) and identity information (such as passport numbers) appears to be well understood and regularly triggers reporting under the NDB scheme. This generally reflects the kinds of harm that can result when this information is obtained by cybercriminals, with financial information and identity information among the most valuable information traded on the dark web.

Breached entities may find it more difficult to quantify the nature of the harm that can arise from a data breach involving other kinds of information, such as health information. In these instances, the likelihood and nature of the harm to affected individuals may be less immediate, but nonetheless serious in nature.

This terminology provides challenges for organisations in deciding whether to notify or not. 

It sets out 5 best practice tips in the context of notifiable data breaches, stating:

1. Your people and the role of training

?All employees should be trained on how to detect and report email?based threats (such as phishing), understand basic account security (such as secure passwords) and how to protect their devices. Education should also focus on data handling practices and how to report suspected privacy breaches.

?Typically, best practice approaches in mature organisations involve a dedicated training program comprising face?to?face training and e?learning, supported by tools and ongoing communication on how employees can stay safe from evolving threats.

?Entities should consider their broader workforce (including contractors) when setting awareness strategies.

2. Preventative technologies and processes

?All entities should prioritise investments in improving their overall security posture in line with known security risks. Where necessary, they should engage expert security advice.

?At a user level, technologies such as multi?factor authentication complement user education in mitigating against the risk of compromised credentials. Encryption and secure data transfer technologies also minimise the risk of data loss in everyday communications. Proactive monitoring of systems should be undertaken so that entities can detect and respond to breaches in a timely manner.

?Uplifting these strategies provides a prime opportunity to review data holdings and minimise unnecessary holdings.

3. Preparation

?Entities that have prepared for data breach incidents prove to be best placed to identify and manage data breaches.

?A data breach response plan provides practical guidance on how to reduce the impact of a data breach, meet obligations under the NDB scheme and support individuals to reduce harm. Over the coming year, entities should seek to address multi?party and supplier breaches in data breach response plans and contracts.

?Regular exercises or data breach simulations are also a critical way that organisations can ensure preparedness as they often highlight deficiencies and risky dependencies.

4. Assessment of harm

?Entities that deeply understand their data holdings and how data breaches could impact their customers (and other individuals with whom they deal) will be best placed to assess whether a data breach is notifiable or not following an incident.

?The test for assessing whether an incident is notifiable under the NDB scheme is whether it is likely to result in serious harm for affected individuals. The threshold is designed to be flexible, as each entity is best placed to understand the individuals with whom they engage. There is an opportunity for industry groups to share knowledge to drive strategies which will better support consumers.

?The risk of reporting when the threshold is not reached is that of notification fatigue and resulting inertia when it really matters. These factors point to the need for a thoughtful assessment process which has regard to the particulars of the incident.

5. Post?breach communication

?Transparency and simplicity are key guiding principles in the wake of a data breach.

?Consumers have responded most favourably to those organisations that communicated in plain English about what had occurred and the steps they needed to take to protect themselves. Organisations should also be mindful of the impacts of mixed messages and poor timing, for example, issuing the notification before a weekend or public holiday, when response actions cannot be taken.

?Emerging best practice by entities in the past year have included establishing and maintaining microsites and setting up support lines to provide customers centralised channels to ask questions and find out what they can do to reduce harm. This is increasingly considered best practice

The very disappointing part of the report is the clear reluctance of the Commissioner to take any enforcement action beyond the rather tepid direction to notify under section 26WR of the Privacy Act 1988.  The fact that an organisation reports a data breach does not give it immunity from action.  Some breaches are caused by clear failures to comply with the Privacy Principles, in particular those relating to security.  This Commissioner has shown a lack of interest or aptitude to that necessary part of the regulators duties, to enforce breaches.  Her foreward highlights that reluctance when she states:

Over the past year, my office has directed its efforts to driving awareness of the NDB scheme’s requirements, the causes of data breaches and better data breach management practices. We have focused on providing support to regulated entities to assist them to comply with their notification obligations and understand the causes of data breaches to prevent them in the future. This is consistent with our general approach of working with entities to encourage and facilitate voluntary compliance with their obligations.4 We have also examined security practices and conducted inquiries to ensure containment, rectification and future mitigation of security risks

and

The past year has also led to collaboration across industry and between the OAIC and other organisations charged with supporting the Australian community to deal with data breaches and threats.

and

As we move into the second year of operation of the NDB scheme, the OAIC expects entities to understand the causes of data breaches and take proactive steps to prevent them.

and

We also encourage entities to move beyond compliance to effectively support consumers.

It is quite woolly.  And very much in the approach taken by the previous Information Commissioner.  That is a pity.

The nod, tentative, vague and timid, to enforcement is found in her statement:

In the coming year, the OAIC will take a proportionate and evidence?based regulatory approach in relation to the NDB scheme, including by exercising our enforcement powers where necessary. Through these actions, we will support the NDB scheme’s purpose of protecting consumers by elevating the security posture across the economy and increasing transparent and accountable personal information handling practices.

Not exactly an example of and clear and precise prose.  It is a step away from a motherhood statement. There is very little for organisations to be concerned about being at the receiving end of strong enforcement actions based on the above sentiments and prior history.  And that is a pity. 

 

 

Leave a Reply