Data at risk? Latest quarterly figures from the Office of the Information Commissioner

Notifiable data breach

Since February 2018, the Australian Government has imposed mandatory reporting obligations on various entities under the Privacy Act 1988 (Cth) for data breaches that would likely result in serious harm to individuals to whom the breach relate¹.  Such entities include organisations with a turnover greater than $3 million; Australian Government agencies; private health service providers; credit reporting bodies and providers; and those that trade in personal information and are tax file number recipients².  Further, entities that do not meet this criteria but have Privacy Act security obligations in relation to particular types of information still have an obligation to report a data breach that relates to that information³. 

The Office of the Australian Information Commissioner (OAIC) under this notifiable data breach scheme has also begun to publish notifiable data breach figures from February 2018. These figures are important as they may assist organisations to consider the systems that may be needed to reduce the occurrence of a significant data risk. 

Data breach or cyber data incident?

A data breach is the unauthorised access, use, distribution or disclosure of data and information regardless of its format⁴.  A cyber data incident, on the other hand, involves and is directed towards data that is held by computers or other information communications technologies.

Latest quarterly results: Where were the largest breaches?

For the period 1 July to 30 September 2018, the OAIC received 245 notifications. Of these:

1. 57% was caused by a malicious or criminal attack;
2. 37% by human error; and
3. 6% by a system fault⁵. 

During this period, the most significant number of breaches related to the access of personal information of 100 or less individuals⁶.  Here, 85% involved access to personal contact information, while 45% involved access to personal financial details including tax file numbers and 35% involved access to personal identity information⁷.  

A malicious criminal attack occurs by deliberately engineering a method as to exploit data for advantage⁸.  In the July to September period, 69% of occurrences that involved a malicious criminal attack were connected to a cyber incident⁹. This was achieved by a party using ransomware, malware or the exploitation of human vulnerabilities such as individuals clicking on phishing emails and disclosing passwords¹⁰. 

Human error is the second largest contributor to personal information breaches. These range from small scale breaches, such as emails and mail being sent to the incorrect recipients, to a larger scale, being the loss of storage devices and disclosing personal contact details in group emails by failing to use blind carbon copy (BCC)¹¹.  For instance, in the period July to September 2018, the OAIC received 29 notifications relating to personal information being sent to the incorrect email recipient while 14 notifications related to unauthorised disclosure being the unintended release of documentation or information¹². Interestingly, the failure to redact personal information affected as many as 633 individuals on average per time; and the failure to use BCC affected 494 individuals on average per time¹³. 

System faults resulted in 6% of data breaches within the July to September 2018 period¹⁴.  Within this area, the unintended release or publication of personal information was the highest form of personal information breach, followed by the unintended access to personal information¹⁵.

Is your industry at high risk?

The highest proportion of breaches was in the private health service sector, followed by the finance sector, and then the legal, accounting and management service sectors¹⁶.  The major breaches within the private health and finance sectors were the result of human error¹⁷.  While the legal, accounting and management service sector had an equal number of notifiable breaches between malicious criminal attack and human error¹⁸.  

Conclusion

The reality for many organisations is that data breaches can occur regardless of size. Organisations need to be cognisant of their obligation to report notifiable data breaches. Further, as IT services assist the growth, development, diversification of commercial enterprise, the incidence of notifiable cyber security breaches is a clear signal that organisations have the responsibility to have measures in place so as to prevent where possible, and mitigate when required, the loss associated with cyber and other data breaches.

------------------------------------------------------

[1] Privacy Act 1988 (Cth) s 26WE(2)(a)(ii).

[2] Office of the Australian Information Commissioner, ‘Data Breach Preparation and Response’, February 2018, 25; Office of the Australian Information Commissioner, ‘Notifiable Data Breaches Quarterly Statistics Report 1 July – 30 September 2018’, October 2018, 13; Privacy Act 1988 (Cth) ss 5B, 6 ,6C-6D, 26WE, 26WE, 26WD; Health Records Act 2012 (Cth) s 75.

[3] ‘Data Breach Preparation and Response’, above n 2, 25; Privacy Act 1988 (Cth) s 26WE.

[4] Commonwealth, ‘Australia’s Cyber Security Strategy Enabling Innovation, Growth and Prosperity’ (Strategy Paper, The Department of the Prime Minister and the Cabinet, 2016) 15.

[5] ‘Notifiable Data Breaches Quarterly Statistics Report 1 July – 30 September 2018’, above n 2, 3, 7.

[6] Ibid 5-6.

[7] Ibid 6.

[8] Ibid 7.

[9] Ibid 10.

[10] Ibid.

[11] Ibid 8.

[12] Ibid.

[13] Ibid 8-9.

[14] Ibid 12.

[15] Ibid 12.

[16] Ibid 13-15.

[17] Ibid 14.

[18] Ibid.