The number of reported data breaches in Australia significantly increased in the period of 1 April to 30 June 2018, according to the second report on the Notifiable Data Breaches scheme by the Office of the Australian Information Commissioner (OAIC). The scheme, which commenced on 22 February 2018, requires private sector and federal government entities to notify the OAIC and affected individuals of any breach of personal information that is likely to result in serious harm to an individual.
Each month since the Notifiable Data Breaches scheme began, the number of breach reports per month has risen. This may suggest growing awareness by entities of their reporting obligations, increasing frequency of serious breach incidents, a trend towards over-reporting of breaches or perhaps some combination of these things.
Of the 242 notifications received since 1 April 2018 (compared to 63 in the period from commencement of the scheme to 31 March 2018), 142 notifications (or 59%) were primarily caused by a malicious or criminal attack with a further 88 breaches caused by human error. However of the malicious or criminal incidents, many exploited human weaknesses such as clicking on a phishing email or disclosing passwords – suggesting that there is still plenty of scope for entities to further train their staff to avoid these pitfalls.
Somewhat surprisingly, physical theft of paperwork or data storage devices occurred in many malicious or criminal attack incidents. Organisations should take note and review their physical security protocols.
One reported breach affected over 1 million individuals. Large numbers of breaches involved data that was more than just individuals’ names and contact details – e.g. financial details (42% of breaches), government identifiers such as passport or driver’s licence numbers (39%) or health information (25%). 64 breaches have been reported by private health service providers since 22 February, of which 41% were malicious or criminal attacks.
The data bears out a point that is relevant to the current debate about whether individuals should choose to opt out of the My Health Records system: hackers value health information and are motivated to access it.
With the number of notifications steadily increasing, it’s crucial that Australian organisations are prepared to handle any (suspected) data breach. Three key points we have been working with clients on are:
A copy of the OAIC’s report can be found on the OAIC’s website (www.oaic.gov.au).
David Smith, Partner
Adam Walker, Partner
Alida Vandewiele, Associate