16 May Twelve Months On: Notifiable Data Breach Scheme Insights
Notifiable Data Breaches Scheme 12‑month Insights Report
The Office of the Australian Information Commissioner (OAIC) released their Notifiable Data Breaches (NDB) Scheme 12‑month Insights Report.
For a little over a year, it has been a legal requirement for entities to carry out an assessment whenever they suspect that there may have been loss of, unauthorised access to, or unauthorised disclosure of personal information that they hold. If serious harm is likely to result, they must notify affected individuals so they can take action to address the possible consequences. They must also notify the OAIC.
While the NDB scheme does not generally permit the OAIC to publish details about which entities have reported eligible data breaches, there has been a sustained interest from the media in reporting data breaches over the year, which has meant that in many cases, entities that have experienced a data breach have been in the public eye.
As we move into the second year of operation of the NDB scheme, the OAIC expects entities to understand the causes of data breaches and take proactive steps to prevent them. This means taking reasonable steps to ensure that the necessary people, processes and technology are in place to prevent and respond to breaches.
In the coming year, the OAIC will take a proportionate and evidence‑based regulatory approach in relation to the NDB scheme, including by exercising our enforcement powers where necessary.
Report at a glance
964 Total data breach notifications under the NDB scheme from 1 April 2018 to 31 March 2019
712% Increase in notifications since the introduction of the NDB scheme – compared with the previous 12 months under the voluntary scheme
60% Data breaches that were malicious or criminal attacks – Malicious or criminal attacks were the main sources of data breaches in the NDB scheme’s first year
35% Data breach notifications attributed to human error – Many data breaches involved human error, such as through unintended disclosure of personal information or the loss of a data storage device.
5% Data breach notifications were attributed to system faults.
153 Number of breaches attributed to phishing – Phishing and spear phishing continue to be the most common and highly effective methods by which entities are being compromised
Finance and health were the top industry sectors to report data breaches. This is likely a reflection of the high‑volume data holdings in these industries and may also indicate comparatively mature processes for identifying and reporting data breaches. Both sectors face strong regulatory scrutiny around data protection, and the costs associated with data breaches may also be higher.
Five best practice notifiable data breach tips for entities
1. Your people and the role of training
All employees should be trained on how to detect and report email‑based threats (such as phishing), understand basic account security (such as secure passwords) and how to protect their devices. Education should also focus on data handling practices and how to report suspected privacy breaches.
Typically, best practice approaches in mature organisations involve a dedicated training program comprising face‑to‑face training and e-learning, supported by tools and ongoing communication on how employees can stay safe from evolving threats.
Entities should consider their broader workforce (including contractors) when setting awareness strategies.
2. Preventative technologies and processes
All entities should prioritise investments in improving their overall security posture in line with known security risks. Where necessary, they should engage expert security advice.
At a user level, technologies such as multi‑factor authentication complement user education in mitigating against the risk of compromised credentials. Encryption and secure data transfer technologies also minimise the risk of data loss in everyday communications. Proactive monitoring of systems should be undertaken so that entities can detect and respond to breaches in a timely manner.
Uplifting these strategies provides a prime opportunity to review data holdings and minimise unnecessary holdings.
Entities that have prepared for data breach incidents prove to be best placed to identify and manage data breaches.
A data breach response plan provides practical guidance on how to reduce the impact of a data breach, meet obligations under the NDB scheme and support individuals to reduce harm. Over the coming year, entities should seek to address multi‑party and supplier breaches in data breach response plans and contracts.
Regular exercises or data breach simulations are also a critical way that organisations can ensure preparedness as they often highlight deficiencies and risky dependencies.
4. Assessment of harm
Entities that deeply understand their data holdings and how data breaches could impact their customers (and other individuals with whom they deal) will be best placed to assess whether a data breach is notifiable or not following an incident.
The test for assessing whether an incident is notifiable under the NDB scheme is whether it is likely to result in serious harm for affected individuals. The threshold is designed to be flexible, as each entity is best placed to understand the individuals with whom they engage. There is an opportunity for industry groups to share knowledge to drive strategies which will better support consumers.
The risk of reporting when the threshold is not reached is that of notification fatigue and resulting inertia when it really matters. These factors point to the need for a thoughtful assessment process which has regard to the particulars of the incident.
5. Post‑breach communication
Transparency and simplicity are key guiding principles in the wake of a data breach.
Consumers have responded most favourably to those organisations that communicated in plain English about what had occurred and the steps they needed to take to protect themselves. Organisations should also be mindful of the impacts of mixed messages and poor timing, for example, issuing the notification before a weekend or public holiday, when response actions cannot be taken.
Emerging best practice by entities in the past year have included establishing and maintaining microsites and setting up support lines to provide customers centralised channels to ask questions and find out what they can do to reduce harm. This is increasingly considered best practice.
Challenges and opportunities for improvement
Over the coming year, entities should seek to understand their data holdings and proactively contemplate the mitigation steps which would genuinely protect consumers from further harm in the event of a data breach.
Entities should also test whether their data breach response plans and contracts adequately address all arrangements necessary in the event of a data breach, including accountabilities for assessing harm and notification and providing access to premises and information and other matters relevant to investigating data breaches.
All entities should also rethink how to effectively secure their personal information holdings taking account of the known causes of data breaches. Best practice entities will also take responsibility for the costs and impacts of rectifying the harmful impacts of data breaches when they occur, and supporting individuals to mitigate the impact of a data breach.
The NDB scheme’s first year has provided valuable insights into the factors that contribute to data breaches. In particular, entities should reflect on the finding that most data breaches involve human factors. Improving employee knowledge and implementing processes and technologies to support data protection are evidently critical measures. The goal is to foster workplace cultures where privacy and security are organisational priorities and a continuous focus for all employees.
The full report is available for download here: Notifiable Data Breaches Schedule 12-month report
Risk Management Framework
A cyber insurance policy should be part of every successful business’s risk management framework. Cyber insurance is not the first line of defence; it is designed to protect a business when it’s IT security, policies and procedures fail to stop an attack.
There is no such thing as an impenetrable system; this is why in today’s digital age Cyber Insurance is a must for your business to mitigate your exposure in the event of a cyber-attack.
Don’t wait until it’s too late – click here to obtain a Cyber Insurance quote online in a matter of minutes.
If you have any further questions on Cyber Insurance and how it can protect your business, contact Vikram Choudhry on 1300 880 494.