16 May Twelve Months On: Notifiable Data Breach Scheme Insights
Notifiable Data Breaches Scheme 12‑month Insights Report
The Office of the Australian Information Commissioner (OAIC) released their Notifiable Data Breaches (NDB) Scheme 12‑month Insights Report.
For a little over a year, it has been a legal requirement for entities to carry out an assessment whenever they suspect that there may have been loss of, unauthorised access to, or unauthorised disclosure of personal information that they hold. If serious harm is likely to result, they must notify affected individuals so they can take action to address the possible consequences. They must also notify the OAIC.
While the NDB scheme does not generally permit the OAIC to publish details about which entities have reported eligible data breaches, there has been a sustained interest from the media in reporting data breaches over the year, which has meant that in many cases, entities that have experienced a data breach have been in the public eye.
As we move into the second year of operation of the NDB scheme, the OAIC expects entities to understand the causes of data breaches and take proactive steps to prevent them. This means taking reasonable steps to ensure that the necessary people, processes and technology are in place to prevent and respond to breaches.
In the coming year, the OAIC will take a proportionate and evidence‑based regulatory approach in relation to the NDB scheme, including by exercising our enforcement powers where necessary.
Report at a glance
964 Total data breach notifications under the NDB scheme from 1 April 2018 to 31 March 2019
712% Increase in notifications since the introduction of the NDB scheme – compared with the previous 12 months under the voluntary scheme
60% Data breaches that were malicious or criminal attacks – Malicious or criminal attacks were the main sources of data breaches in the NDB scheme’s first year
35% Data breach notifications attributed to human error – Many data breaches involved human error, such as through unintended disclosure of personal information or the loss of a data storage device.
5% Data breach notifications were attributed to system faults.
153 Number of breaches attributed to phishing – Phishing and spear phishing continue to be the most common and highly effective methods by which entities are being compromised
Finance and health were the top industry sectors to report data breaches. This is likely a reflection of the high‑volume data holdings in these industries and may also indicate comparatively mature processes for identifying and reporting data breaches. Both sectors face strong regulatory scrutiny around data protection, and the costs associated with data breaches may also be higher.
How entities can reduce the risk of credential compromise
• Educating users on how to detect phishing emails
• Implementing multi‑factor authentication
• Implementing anti‑spoofing controls (such as DMARC or SPF)
• Educating users about password re‑use and security measures (for example, password managers and services such as ‘Have I Been Pwned’ to detect compromised accounts)
Challenges and opportunities for improvement
Over the coming year, entities should seek to understand their data holdings and proactively contemplate the mitigation steps which would genuinely protect consumers from further harm in the event of a data breach.
Entities should also test whether their data breach response plans and contracts adequately address all arrangements necessary in the event of a data breach, including accountabilities for assessing harm and notification and providing access to premises and information and other matters relevant to investigating data breaches.
All entities should also rethink how to effectively secure their personal information holdings taking account of the known causes of data breaches. Best practice entities will also take responsibility for the costs and impacts of rectifying the harmful impacts of data breaches when they occur, and supporting individuals to mitigate the impact of a data breach.
The NDB scheme’s first year has provided valuable insights into the factors that contribute to data breaches. In particular, entities should reflect on the finding that most data breaches involve human factors. Improving employee knowledge and implementing processes and technologies to support data protection are evidently critical measures. The goal is to foster workplace cultures where privacy and security are organisational priorities and a continuous focus for all employees.
The full report is available for download here: Notifiable Data Breaches Schedule 12-month report
Risk Management Framework
A cyber insurance policy should be part of every successful business’s risk management framework. Cyber insurance is not the first line of defence; it is designed to protect a business when it’s IT security, policies and procedures fail to stop an attack.
There is no such thing as an impenetrable system; this is why in today’s digital age Cyber Insurance is a must for your business to mitigate your exposure in the event of a cyber-attack.
Don’t wait until it’s too late – click here to obtain a Cyber Insurance quote online in a matter of minutes.
If you have any further questions on Cyber Insurance and how it can protect your business, contact Vikram Choudhry on 1300 880 494.