Data Protection and Privacy Compliance – Legal Update – 2 May 2023
Privacy compliance and data breach risk management is too often not taken seriously by Australian organisations. With the recent increase in penalties for repeated breaches – from $2.22 million to the greater of AU$50 million, or three (3) times the value of any benefit obtained through the misuse of information, or 30 percent of a company’s adjusted turnover in the relevant period – businesses cannot afford to be complacent about privacy compliance.
The complexity of organisational structures and IT business systems in many instances results in management not knowing what data is collected by whole of business and how the data is managed and stored. Privacy policies often do not accurately reflect how the organisation manages personal information, that is:
- The kind of personal information that the organisation collects and holds;
- How the organisation collects and holds the personal information;
- The purpose for which the organisation collects, holds uses and discloses personal information;
- Whether the personal information is likely to be disclosed to an overseas recipient and where that recipient is located;
- How individuals can access information about them and seek correction or lodge a complaint about a breach.
Data breaches can have significant impact on the businesses and result in:
- Business disruption
- Significant costs in responding to a data breach
- Reputational damage
- Loss of valuable intellectual property/confidential information
- Loss of business and revenue
- Reduction in capital/share value of the business
- Substantial costs in regaining consumer confidence that the organisation can be trusted with personal information/data
- Regulatory fines
- Compensation claims by individuals/class actions.
OAIC Data Breach Statistics
The Notifiable Data Breach (NDB) scheme under the Australian Privacy Act commenced on the 22 February 2018. The scheme requires mandatory notification by organisations[i] of a privacy data breach that is likely to result in “serious harm” to the individual whose personal information held by that organisation has been the subject of an unauthorised access, disclosure of or loss of personal information held by the entity.[ii]
The Office of the Australian Information Commissioner (OAIC), which is responsible for compliance with the NDB scheme, has recently published its Notifiable Data Breaches Report for the period from July to December 2022.[iii]
The OAIC Report provides statistics of notifiable data breaches together with valuable insights and learnings on the trends emerging under the NDB scheme. These statistics also provide very useful information for the risk assessment and potential organisational exposure to data breaches.
During the 6 months from 1 July, 2022 to 31 December 2022 the OAIC received 497 notifications of eligible data breaches under the NDB scheme – a 26% increase in the number of data breach notifications, compared to the previous 6 month period (during which 393 data breach notifications were received) with several of these data breaches impacting millions of Australians’ personal information. The highest number of notifications during the period were received during the month of December (102 notifications) with a dramatic increase in the proportion of all notifications (350 notifications or 70% of all notifications) attributed to malicious or criminal attack – an increase of 41% on the 249 malicious or criminal attack notifications made during the previous 6 months.
Once again, the majority of notified breaches during this period affected fewer than 100 people (62% or 306 of all notifications) – with 215 of these notifications impacting only 1 to 10 individuals. However, there were also 40 breaches that affected over 5,000 Australians during this period, compared with 24 during the last reporting period (an increase of 67% compared to the previous 6 month period) with 5 of these affecting over 1 million Australians (compared with 1 in the previous reporting period).[iv]
Other key findings and trends during the 6 month period ending 31 December 2022 include:-
- Thirty-three (33) of the 40 breaches that affected over 5,000 Australians were caused by cyber incidents;
- The top two (2) data breach reporting sectors (under the NDB scheme) were, once again, Health service providers (71 notifications) followed by Finance (68 notifications – including superannuation).
- Across all sectors, the majority of notified data breaches (88%) involved ‘contact information’ (such as an individual’s home address, phone number or email address) while 60% of the notified data breaches involved ‘identity information’ (such as an individual’s passport and/or driver licence numbers or other government identifiers). In addition, 41% of notified data breaches involved ‘financial details’ (such as bank account or credit card details).
- Across all sectors, the time between when an entity became aware of an incident and when they notified the OAIC (and affected individuals) remained similar to the time taken during the last reporting period – with 77% of breaches being identified by the entity within 30 days of it occurring (compared to 78% during the previous period).
- The OAIC noted that “across the life of the scheme, the time taken by entities to identify breaches has tended to vary depending on the source of breach….”and that during this reporting period “entities generally identified breaches caused by malicious or criminal attack the fastest and system fault breaches the slowest” while a third (33%) of system fault breaches were not identified “for over a year”.[v]
- Malicious or criminal attacks (350 notifications or 70% of all notifications) and human error (123 notifications or 25% of all notifications) continue to be the cause of the majority of the reported breaches.
- There was a small decrease in data breaches attributed to human error (compared to the previous 6 month period) accounting for 25% of the data breaches while data breaches attributed to malicious or criminal attack increased, accounting for 70% of them.
- The largest source of malicious or criminal attacks notifications during the period, involved cyber security incidents (45% or 222 of all notifications). These included ransomware (29%), compromised or stolen credentials (27%), phishing (23%), brute force attack (9%), hacking (8%) and malware (4%).
- Noting the impact of impersonation fraud and social engineering on the increasing number of cyber security data breaches, the OAIC noted that “Entities should also be aware that a social engineering incident can constitute an eligible data breach, even if a threat actor leveraged personal information they had already obtained (for example, through another data breach) to circumvent or exploit an entity’s security and identity verification processes.”[vi] .
- The OAIC observed that “Entities should implement measures to monitor and promptly detect system faults, which can be caused by hardware malfunctions or software settings errors, or even by natural disasters and extreme weather conditions. Entities should also consider whether the software they use is sufficiently secure and has been developed to support privacy and prevent and limit the impact of data breaches”.[vii]
- The OAIC noted that “a key objective of the NDB scheme is to promote notification to individuals” and recommended that “Entities should have a ‘data breach response plan’ that incorporates the requirements of the NDB scheme”[viii]; and
- Increasingly sophisticated scams and cyber security incidents.
Data breaches caused by human error (25% of data breaches in this reporting period) can be avoided by staff awareness and training. These kinds of data breaches can affect larger numbers of individuals.
The major causes of human error breaches include:
- Personal information sent by email or mail to the wrong recipient (42% during this reporting period).
- Unauthorised disclosure (unintended release or publication or failure to redact) – (33% during this reporting period)
- Failure to use BCC when sending emails – with an average of 19,163 individuals affected per breach in this category during this reporting period[ix] – (6% during this reporting period)
- Loss of paperwork/data storage (5% during this reporting period); and
- Insecure disposal of personal information (2% during this reporting period).
In many cases unauthorised disclosure of confidential information or data occurs because employees do not have an adequate understanding of the type of data/information that is protected under the Privacy Act and other laws for the protection of confidential information/data and the organisation’s obligations under those laws in relation to data protection from unauthorised disclosure, use and loss. Many of the human error data breaches can be avoided by appropriate ongoing staff training in data protection and privacy compliance and handling of information.
Minimising Risk of Data Breaches – Steps to Assist in Data Protection
There is no single solution for the protection of data and compliance with data protection laws. A whole of business approach is required. People are the most important part of the process and solution, followed by technology. Safeguards against unauthorised use, disclosure, theft, cyber-attacks, industrial espionage and sabotage of IT system have to be agile and updated to deal with increasing sophistication of cyber-attacks or cyber incidents. Some steps that Organisations may consider taking to minimise risk and harm and to protect confidential information/data:
- Understand what type of data including confidential information and personal and sensitive information is collected and managed by the organisation and who is authorised to access this information. An audit of the organisational data collection and flow may be required. Legal advice may also be required.
- Undertake ongoing reviews and assessments of the organisational and technological data flows, storage (including location of storage) and risks.
- Have all staff sign non-disclosure/confidentiality agreements and provide appropriate training.
- Implement and update appropriate security measures for the protection of confidential information/data (including when emailing sensitive personal information). Measures and controls could include encryption, password protection, multi-facet authentication and monitoring data flows.
- Have a cyber-security expert assess and monitor your computer system for potential vulnerabilities to cyber-attacks and implement appropriate measures to deal with risks.
- Implement and update appropriate technological measures to deal with possible cyber threats including viruses, ransomware, malware, hacking and other cyberattacks.
- Develop and implement a data breach response plan which implements the requirements of the Notifiable Data Breach scheme and includes guidelines for ‘best practice’ post-breach communication to affected individuals for reduction of ‘harm’ to both the affected individuals and the entity;
- Keep up to date in relation to the latest scams and cyber threats including identification/impersonation fraud or social engineering[x], phishing emails and telephone calls requesting passwords and other personal information and keep management and employees updated. Useful resources for such updates include:
- Stay Smart Online – an online alert service which provides alerts on the latest threats and information on how to reduce the risk of cyber threats
- ACCC Scam watch
- Australian Cyber Security Centre (ACSC) – including the ACSC’s cyber incident response plan guidance, template and checklist[xi];
- Australian Cybercrime Online Reporting Network (Acorn)
- Education and training of management and employees on commencement and then at least annually[xii] – including on:-
- data handling practices;
- how to report suspected privacy breaches; and
- how to communicate a data breach to affected individuals – to minimise harm to the entity and the affected individuals.
Disclaimer: This legal update is not intended to be a substitute for obtaining legal advice.
Authored by Katarina Klaric, Principal, Stephens Lawyers & Consultants. The contribution of Rochina Iannella is acknowledged in the research and update of this Legal Update .
© Stephens Lawyers & Consultants. 3 October 2018 – Updated 12 September 2020 and 10 August 2021; Updated 2 May 2023
For further information contact:
Katarina Klaric
Principal
Stephens Lawyers & Consultants
Melbourne Head Office
Suite 205, 546 Collins Street, Melbourne VIC 3000
Phone: (03) 8636 9100
Sydney Office
Level 29, Chifley Tower, 2 Chifley Square, Sydney, N.S.W. 2000
Phone: (02) 9238 8028
Email: [email protected]
Website: www.stephens.com.au
All Correspondence to:
PO Box 16010
Collins Street West
Melbourne VIC 8007
To register for newsletter updates and to send your comments and feedback, please email [email protected]
[i] Under the scheme, any organisation or government agency covered by the Privacy Act 1988 (Cth) that experiences an eligible data breach must notify affected individuals and the OAIC.
[ii] Privacy Act 1988(Cth) s 26 WE(2)
[iii] Office of the Australian Information Commissioner Notifiable Data Breaches Report: July to December 2022 – Published 1 March 2023
[iv] Office of the Australian Information Commissioner Notifiable Data Breaches Report: July to December 2022 at Page 10
[v] Office of the Australian Information Commissioner Notifiable Data Breaches Report: July to December 2022 at Page 14
[vi] Office of the Australian Information Commissioner Notifiable Data Breaches Report: July to December 2022 at Page 22
[vii] Office of the Australian Information Commissioner Notifiable Data Breaches Report: July to December 2022 at Page 14
[viii] Office of the Australian Information Commissioner Notifiable Data Breaches Report: July to December 2022 at pages 17, 18
[x] Office of the Australian Information Commissioner Notifiable Data Breaches Report: July to December 2022 at Page 22
[xi] https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/publications/cyber-incident-response-plan
[xii] Office of the Australian Information Commissioner Notifiable Data Breaches Report: July to December 2022 at Page 22 – Privacy training recommended by the OAIC “to new staff on commencement and all staff at least annually”.