Peter A Clarke

The Information Commissioner has released the latest report on notifiable data breaches for the second half of 2021.  There were 464 data breaches from July to December 2021.  A total of 464 data breaches throughout all of Australia for a 6 month period. According to itgovernance there were 5.1 million records breached worldwide in February 2022 alone. Why there is such a ridiculously low number reported to the Commissioner is ample evidence of how flawed the data breach regime remains. 

There are a number or reasons for this failure in public policy.  A starting point is =the limited coverage of the Privacy Act.  The small business exemption as well as the journalist and political party exemption leaves a large part of the economy which collects, holds and uses data outside of the coverage.  The Data Breach Notification Scheme is self assessment using a long list of factors to determine whether there has been serious harm.  For some organisations that reinforces a bias against notification.  There are some industries where the reputational damage of not notifying outweighs most other considerations so notification is not an issue.  But where the convoluted structure of the Act permits those who are afraid of the light to avoid notification there is a problem with the legislation.  The other problem is that since 1988 the Privacy Commissioner, then Information Commissioner, has been a tentative regulator.  Even as the office’s powers to take action have grown the attitude has not shifted.  Until recently its work rate has been abysmal. This has led to a culture of impunity.  There is a perception that consequences for poor privacy practices are insignificant.

The Commissioner’s media release provides:

As Australia’s Notifiable Data Breaches scheme marks its fourth year of operation, the Office of the Australian Information Commissioner (OAIC) is urging organisations to put accountability at the centre of their information handling practices.

Australian Information Commissioner and Privacy Commissioner Angelene Falk said doing so would give individuals greater confidence that their personal information will be handled fairly and securely when they engage with an organisation.

“Australians expect that their personal information will be handled with care when they choose to engage with a product or service and are more likely to entrust their data to organisations that have demonstrated effective privacy management,” Commissioner Falk said.

The latest Notifiable Data Breaches Report shows the OAIC received 464 data breach notifications from July to December 2021, an increase of 6% compared with the previous period.

Malicious or criminal attacks remain the leading source of breaches, accounting for 256 notifications (55% of the total), down 9% in number from 281.

There was a significant rise in breaches due to human error, increasing by 43% to 190, after a dip in the previous period.

The health sector remains the highest reporting industry sector notifying 18% of all breaches, followed by finance (12%).

Commissioner Falk said the Notifiable Data Breaches scheme is well established after four years of operation and the OAIC expects organisations to have strong accountability measures in place to prevent and manage data breaches in line with legal requirements and community expectations.

“The scheme is now mature and we expect organisations to have accountability measures in place to ensure full compliance with its requirements,” she said.

“If organisations wish to build trust with customers, then it is essential they use best practice to minimise data breaches and, when they do occur, they put individuals at the centre of their response.”

The OAIC is still finding that some organisations are falling short of the scheme’s assessment and notification requirements.

“A key objective of the scheme is to protect individuals by enabling them to respond quickly to a data breach to minimise the risk of harm,” Commissioner Falk said.

“Delays in assessment and notification reduce the opportunities for an individual to take steps to protect themselves from harm.”

Commissioner Falk said swift assessment and notification is required, supported by systems to detect that a breach has occurred. For example, a notable proportion of organisations that experienced system faults (11%) did not become aware of the incident for over a year.

As the risk of serious harm to individuals often increases with time, the OAIC expects organisations to treat 30 days as a maximum time limit for an assessment of a data breach and to aim to complete the assessment in a much shorter timeframe.

In the reporting period, 75% of organisations notified the OAIC within 30 days of becoming aware of an incident, compared with 72% in the previous period. Twenty-eight organisations took longer than 120 days from when they became aware of an incident to notify the OAIC.

The report highlights a scenario in which an organisation experienced a phishing attack and an employee’s email account was compromised. A preliminary review of the incident suggested a significant amount of personal information was at risk, but that it would take 5 months to identify and tailor notifications to everyone at risk of serious harm.

In this case, best practice was to promptly notify individuals, providing general recommendations that applied to all individuals whose personal information was contained in the email account, rather than attempting to tailor notifications and delay the process.

Notwithstanding the defects in the reporting system and the lack of accuracy of the true number of data breaches the report is useful to picking up trends.  Recent reports have been very good in the regard.  The key findings by the Commissioner are:

• • 464 breaches were notified under the scheme, an increase of 6% compared with 436 notifications in January to June 2021.
  • Malicious or criminal attacks remain the leading source of breaches, accounting for 256 notifications (55% of the total), down 9% in number from 281.
  • Data breaches resulting from human error accounted for 190 notifications (41% of the total), up 43% in number from 133.
  • The health sector remains the highest reporting industry sector notifying 18% of all breaches, followed by finance (12%).
  • Contact information remains the most common type of personal information involved in breaches.
  • 96% of breaches affected 5,000 individuals or fewer, while 71% affected 100 people or fewer.
  • 75% of entities notified the OAIC within 30 days of becoming aware of an incident.

The report provides a snapshot of its findings which is:

The OAIC received 464 notifications, which is up 6%.

There were 76 notifications in July, 74 in August, 80 in September, 67 in October, 84 in November and 83 in December.

The top industry sectors to notify data breaches were:

• • health service providers – 83 notifications
  • finance – 56 notifications
  • legal, accounting and management services – 51 notifications
  • personal services – 36 notifications
  • education – 32 notifications
  • insurance – 32 notifications.
  • Seventy-one per cent of data breaches affected 100 people or fewer.
  • The sources of data breaches were:
  • malicious or criminal attack – 55%
  • system fault – 4%
  • human error – 41%.

Thirty-seven per cent of all data breaches (173 notifications) resulted from cyber security incidents.

• • The breakdown of cyber incidents was:
  • phishing (compromised credentials) – 32%
  • compromised or stolen credentials (method unknown) – 28%
  • ransomware – 23%
  • hacking – 8%
  • brute-force attack (compromised credentials – 5%.
  • The top causes of human error breaches were:
  • personal information emailed to wrong recipient – 43%
  • unintended release or publication – 21%
  • loss of paperwork or data storage device – 8%.

Other factors according to the report:

• Malicious or criminal attacks remain the leading source of breaches, accounting for 256 notifications (55% of the total), down 9% in number from 281.
• Data breaches resulting from human error accounted for 190 notifications (41% of the total), up 43% in number from 133.
• Contact information remains the most common type of personal information involved in breaches.
• 96% of breaches affected 5,000 individuals or fewer, while 71% affected 100 people or fewer.
• 75% of entities notified the OAIC within 30 days of becoming aware of an incident.
• 37% of all breaches (173 notifications) resulted from cyber security incidents.
• 65% of cyber incidents involved malicious actors gaining access to accounts using compromised or stolen credentials
• a significant increase in human error breaches both in terms of the total number of notifications received – up 43% from 133 to 190 – and proportionally – up from 31% to 41%.
• human error breaches include:
  • emailing personal information to the wrong recipient,43%
  • unintended release or publication of personal information, 21%;
  •  loss of paperwork or data storage device 8%.
• malicious and criminal attacks include:
  • 68% involved cyber incidents
  • 32%  resulted from social engineering or impersonation, theft of paperwork or data storage device and actions taken by a rogue employee or insider threat.
• The most common source of data breaches varied for the top industry sectors.