The Office of the Australian Information Commissioner (OAIC) has received a total of 63 personal data breach notifications since the Notifiable Data Breaches (NDB) scheme came into effect on February 22, 2018. This figure and the nature of the data breaches were revealed in OAIC’s first quarterly report on the NDB.
The NDB scheme introduces data breach notification requirements for government agencies and organizations that already have obligations to secure personal information under the Australian Privacy Act 1988, for example, private and not-for-profit organizations with an annual turnover of more than AU$3 million. With the NDB, they are required to notify individuals whose personal information was involved in a data breach, and therefore are likely at risk of serious harm. Aside from the individuals involved, the OAIC must also be notified of the eligible data breaches.
Australia’s NDB was implemented only months before the European Union’s General Data Protection Regulation (GDPR), which also has a set of strict rules on breach notification. The two are aligned in the aims of strengthening personal information security and increasing transparency on data-related activities and incidents. Since there are still weeks to wait before the GDPR is enforced, for now, the NDB’s report provides a regional snapshot of data breaches as they are discovered.
A snapshot of data breach notifications
In February, the OAIC had already received eight reports of data breaches. March saw more notifications, with 55 being added to the total tally for the first quarter. In the quarterly report, the incidents were organized by sector, cause, and type, shedding some light into the characteristics of the data breaches the office has been notified about.
The OAIC found that health service providers reported the most number of notifications out of all the sectors, totalling 24 percent of the notifications. The four other sectors which reported a significant number of notifications were legal, accounting, and management services (16 percent), finance (13 percent), education (10 percent), and charities (6 percent).
The most common cause for the reported data breaches was human error, which was behind 51 percent of the breaches. It was followed by malicious or criminal attacks, which were the cause of 44 percent of the breaches. Noted also were system faults, which accounted for 3 percent.
As for the types of data affected, 78 percent were individuals’ contact information, 33 percent were health information, and 30 percent were financial details.
Eligible data breaches
Whether the salient characteristics of reported data breaches will remain the same or a pattern will emerge from them will have to wait until the NDB has been in effect longer. What is certain is that all 63 reported breaches were considered “eligible data breaches” under the NDB. This means that each was assessed as likely to cause serious harm to the individuals whose data was breached, and that the organizations involved have not yet taken remedial action that can minimize the likelihood of serious harm.
Organizations and agencies affected by the Australian Privacy Act 1988 which have detected similar personal data breaches must also inform the individuals concerned and the OAIC. The OAIC has made reporting accessible by providing an online form to fill out. The information the form requires are as follows: the full contact information of the organization, a description of the breach, the kind of information involved in the breach, and recommended steps for individuals to take in response to the breach.
The NDB scheme gives organizations three options for informing involved individuals, the bottom line being that they must exert enough effort in notifying those who are at serious risk because of a breach, even if it means an incident will be more publicized.
A call for data breach prevention and notification
Not all countries, regions, or organizations have data breach notification policies and guidelines. In some cases, reporting a data breach is at an organization’s discretion. Breach notification measures of the NDB and GDPR empower data owners in the event of a data breach by increasing transparency between organizations and their customers or users. Data breach notification helps individuals defend themselves against the consequences of a data breach while organizations address the breach from their end.
Organizations must also continue to protect their data on all fronts, whether threats come from external or internal, accidental or intentional sources. Organizations, customers, and even data regulation authorities benefit most when data breaches are avoided in the first place. One of the ways organizations can prevent data breaches is by making a comprehensive review of their data processing policies and security measures and clearly identifying their own infrastructure’s vulnerabilities. In turn, a review enables IT teams to build better defenses and find patches. Another good way of ensuring data protection is following GDPR’s guidance of employing “state-of-the-art” cybersecurity as well as adopting the principle of privacy by design and default. Using the latest cybersecurity technology that can prevent and detect threats old and new, known and unknown, helps protect the entire enterprise from data breaches. Finally, educating and training employees on cybersecurity best practices addresses the human error factor.
Notification schemes like those of Australia’s NDB and the EU’s GDPR enable better documentation of data breaches, providing knowledge that can benefit organizations and authorities worldwide in the constant battle against cyberthreats. The NDB scheme and the GDPR also promote more transparency on security incidents involving personal data, thus fostering a stronger sense of trust between organizations and their customers.