Early report on mandatory data breach notification laws – Australian Information Commissioner releases first quarterly report. Sixty three notified breaches in the first 6 weeks of the law’s operation
April 12, 2018 |
The Office of the Australian Information Commissioner has published the first quarterly report on data breach notifications under the mandatory data breach notification legislation which came into effect on 22 February 2018. Not surprisingly the on a pro rata basis the number of notifications far exceeds the rate of notification under the previously voluntary scheme, 63 breaches in 6 weeks as opposed to 114 notifications in the last 52 weeks of the voluntary scheme. If the rate of notifications remain consistent then 546 reports could be expected, almost 5 times the rate under the voluntary scheme. Because the legislation requires the organisation and agency to undertake self assessment as to whether a breach requires notification and some organisations will seek to take a less conservative approach, and take a risk in doing so, the figures are probably not a complete record of data breaches affecting personal information. Organisations not covered by the Privacy Act 1988, primarily under the small business exemption, are also not covered by the mandatory data breach legislation and as such they are not required to report. This highlights the longstanding flaw in the legislation. Small businesses handle personal information as much as large businesses, sometimes more so. That is particularly the case with those who have trade on line. For main street traders to buy and sell on line requires the storage of names, addresses and credit card/banking information. Given enough, moving in the category of many,small business operators have a well earned reputation for poor privacy and data security practices it is reasonable to expect the real number of breaches which would fall within the criteria set out within the legislation as being higher than 63, possibly by a significant margin. The Office of the New York State Comptroller recently published a report on a small residential community, the village of Alfred with 4,200 souls, finding its data protection was totally inadequate. It did not have written policies or procedures detailing the acceptable use of IT assets and the backing up of critical data, there was no recovery plan or breach notification plan and no adequate IT security training to employees. It is not a stretch to say that the same sort of recommendations could be made with respect to many small businesses.
The figures are a reasonable indication that data breaches are a significant threat. Equally important, they also, again, highlight that the main reason for breaches is human error, being 32 of the 63 breaches. That comes down to poor privacy protocols, inadequate processes and most importantly poor training. But it is concerning that the next biggest cause for a breach, 28 of the 63 breaches, was malicious or criminal conduct.
The media release provides:
The Office of the Australian Information Commissioner (OAIC) has published the first quarterly report on data breach notifications received under the Notifiable Data Breaches (NDB) scheme, which came into force on 22 February 2018.
The OAIC received 63 data breach notifications under the scheme during the first six weeks of the scheme’s operation. In the 2016–17 financial year, the OAIC received 114 data breach notifications on a voluntary basis.
The NDB scheme requires entities with obligations to secure personal information under the Privacy Act 1988 to notify individuals when their personal information is involved in a data breach that is likely to result in serious harm. These data breaches are referred to as ‘eligible data breaches’. Entities must also notify the OAIC about eligible data breaches.
The NDB scheme formalised the community’s expectation for transparency when a serious data breach occurs. According to the 2017 Australian Community Attitudes to Privacy Survey, 94 per cent of Australians believe they should be told when personal information is lost by a business.
The OAIC’s acting Australian Information Commissioner and acting Privacy Commissioner, Angelene Falk, said ‘a data breach notification provides individuals with the chance to take steps that reduce their risk of experiencing harm, such as changing relevant passwords for online accounts. This can reduce the overall impact of a breach. More broadly, the transparency provided by the NDB scheme reinforces Australian Government agencies’ and businesses’ accountability for personal information protection and encourages a higher standard of security.
‘Over time, the quarterly reports of the eligible data breach notifications received by the OAIC will support improved understanding of the trends in eligible data breaches and promote a proactive approach to addressing security risks.
‘Just over half of the eligible data breach notifications we received in the first quarter indicated that the cause of the breach was human error. In the 2016–2017 financial year 46 per cent of the data breach notifications received by the OAIC voluntarily were also reported to be the result of human error.
‘This highlights the importance of implementing robust privacy governance alongside a high-standard of security. The risk of a data breach can be greatly reduced by implementing practices such as Privacy Impact Assessments, information security risk assessments, and training for any staff responsible for handling personal information.’
Key statistics from the first quarterly report include:
- Top five sectors that notified the OAIC of eligible data breaches included health service providers (24 per cent of notifications), legal, accounting and management services (16 per cent), finance (13 per cent), private education (10 per cent), and charities (6 per cent).
- 78 per cent of eligible data breaches were reported to involve individual’s contact information. 33 per cent were reported to involve health information and 30 per cent to involve financial details.
- 51 per cent of the eligible data breach notifications received indicated that the cause of the breach was human error. 44 per cent of breaches were reported to be the result of malicious or criminal attack, and 3 per cent the result of system faults.
- 59 per cent of data breach notifications reported that the personal information of between one and nine individuals was affected. 90 per cent of data breach notifications related to breaches involving the personal information of less than 1,000 individuals.
The report provides a more detailed analysis. While it is heartening, if that is the right word for it, that almost a third of the breaches only involve the personal information of one person less cheering is the fact that 3 breaches involved information of between 10,000 – 99,999 and another 3 breaches involved personal information of between 1,000 – 9999. What those figures do not show, but the Commissioner knows, is what information was the subject of the breaches in the high volume cases. It would be disastrous if that was sensitive medical information. Given that 15 of 63 reports came from the health sector and 33% of breaches involved health information that is a cause for concern. These figures do not come as a surprise to privacy lawyers. The health industry generally has a poor privacy culture. This is due to poor privacy training, a high turnover of staff, multiple points where data can be accessed, longstanding practices of having medical notes accessible to both health professionals, staff and unfortunately the general public, a sometimes cavalier approach by medical professionals to patient privacy (such as taking photos of surgical work for sharing) even though under the law and AMA guidelines it is not acceptable. What makes the problem so intractable is that there is very little enforcement by management and when action is taken the options at the Commonwealth level under the Privacy Act are so limited and results ineffective while at the State level in Victoria there is a real difficulty in obtaining a satisfactory resolution before the Victorian Civil and Administrative Tribunal in actions commenced under the Health Records Act. The nature of the problem in the health industry is not confined to Australia. There are regular breaches such as a few days ago the West Kendall Baptist Hospital notified patients of a breach by a staff member who used patient credit card information while on 9 April Integrated Rehab Consultants advised of a data breach which was first identified in December 2016.
The Information Commissioner’s report has been picked by the Australian Financial Review with OAIC report reveals 63 data breach notifications in first six weeks of NDB scheme.