Risk Management: Data Protection and Privacy Compliance
Privacy compliance and data breach risk management is too often not taken seriously by Australian organisations. The complexity of organisational structures and IT business systems in many instances results in management not knowing what data is collected by whole of business and how the data is managed and stored. Privacy policies often do not accurately reflect how the organisation manages personal information, that is:
- The kind of personal information that the organisation collects and holds;
- How the organisation collects and holds the personal information;
- The purpose for which the organisation collects, holds uses and discloses personal information;
- Whether the personal information is likely to be disclosed to an overseas recipient and where that recipient is located;
- How individuals can access information about them and seek correction or lodge a complaint about a breach.
Data breaches can have significant impact on the businesses and result in:
- Business disruption
- Significant costs in responding to a data breach
- Reputational damage
- Loss of valuable intellectual property/confidential information
- Loss of business and revenue
- Reduction in capital/share value of the business
- Substantial costs in regaining consumer confidence that the organisation can be trusted with personal information/data
- Regulatory fines
- Compensation claims by individuals/class actions.
OAIC Data Breach Statistics
The Notifiable Data Breach (NDB) scheme under the Australian Privacy Act commenced on the 22 February 2018. The scheme requires mandatory notification by organisations of a privacy data breach that is likely to result in “serious harm” to the individual whose personal information held by that organisation has been the subject of an unauthorised access, disclosure of or loss of personal information held by the entity.[i]
The Office of the Australian Information Commissioner (OAIC), which is responsible for compliance with the NDB scheme, has published its Notifiable Data Breaches Report for the period from January to June 2021.[ii]
The OAIC Report provides statistics of notifiable data breaches together with valuable insights and learnings on the trends emerging under the NDB scheme. These statistics also provide very useful information for the risk assessment and potential organisational exposure to data breaches.
During the 6 months from 1 January, 2021 to 30 June 2021 the OAIC received 446 notifications of eligible data breaches under the NDB scheme – a 16% decrease in the number of data breach notifications, compared to the previous 6 month period (during which 530 data breach notifications were received)..
The highest number of notifications during the period were received during the month of March (102 notifications) with a high proportion of all notifications (43%) attributed to cyber security incidents, while the proportion of data breaches attributed to human error was 30% (down in number from 203 to 134).
Once again, the majority of notified breaches during this period affected 100 or fewer individuals (65%) – while 44% of the breaches impacted 1 to 10 individuals. There were also 3 data breach notifications which compromised the personal information of over 1 million individuals worldwide – with one of these affecting over 10 million individuals.
Of noted concern during the January 2021 to June 2021 reporting period were:-
- the notification of a number of data breaches resulting from “impersonation fraud”, where someone (a ‘malicious actor’) impersonates another person to gain access to an account, system, network or physical location. The OAIC requires and expects to be notified by entities when they experience impersonation fraud “where there is a likely risk “serious harm”[iii]; and
- the marked increase in the number of data breaches attributed to ransomware attacks (24% or 46 in number) – up from 37 notifications during the previous 6 month period.[iv] The OAIC noted that with ransomware attacks being so prevalent, it “expects entities to have appropriate internal practices, procedures, and systems in place to undertake a meaningful assessment” of such data breaches – while “having the appropriate protective measures can prevent ransomware attacks from occurring in the first place”[v].
Other key findings and trends during this 6 month period ending 30 June 2021 include:-
- The top two (2) data breach reporting sectors (under the NDB scheme) were, once again, Health service providers (19% or 85 of all notifications) followed by Finance, including superannuation (13% or 57 of all notifications). The remaining 3 industries in the top five data breach reporting sectors were the Legal, Accounting and Management sector (35 notifications), the Australian Government sector (34 notifications) and the Insurance sector (34 notifications)
- Across all sectors, the majority of notified data breaches (91% or 407 in number) involved ‘contact information’ (such as an individual’s name, home address, phone number email address). This made contact information the most common type of ‘personal information’ involved in data breaches during this reporting period. Notifications involving ‘identity information’ (such as an individual’s passport and/or driver licence numbers or other government identifiers) accounted for 55% of data breaches , while 43% (193 in number)involved ‘financial details’ (such as bank account or credit card details).[vi]
- Accounting for 65% (289 in number)of all notifications, malicious or criminal attacks continue to be the cause of the majority of the reported breaches.
- The largest source of malicious or criminal attacks notifications during the period, involved cyber incidents including phishing, malware, ransomware, brute force attack and compromised or stolen credentials – with many of these cyber incidents involving a human factor.
- While there was a decrease in data breaches attributed to human error compared to the previous 6 month period (down 34% in number from 203), human error was the second largest source of data breaches during the January to June 2021 reporting period[vii]. The OAIC also noted that the human factor also plays a role in many cyber security breaches (such as clicking on a phishing email or disclosing passwords) and that entities should remain alert to this risk.[viii] .
Data breaches caused by human error) can be avoided by staff awareness and training. These kinds of data breaches can affect larger numbers of individuals.
The major sources of human error include:
- Personal information sent by email or mail to the wrong recipient.
- Unauthorised disclosure (unintended release or publication or failure to redact) – with an average of 523,998 individuals affected per notification in this category during this reporting period[ix]
- Loss of paperwork/data storage device
- Failure to use BCC when sending emails
- Insecure disposal of personal information.
In many cases unauthorised disclosure of confidential information or data occurs because employees do not have an adequate understanding of the type of data/information that is protected under the Privacy Act and other laws for the protection of confidential information/data and the organisation’s obligations under those laws in relation to data protection from unauthorised disclosure, use and loss.
Many of the human error data breaches can be avoided by appropriate ongoing staff training in data protection and privacy compliance and handling of information.
Minimising Risk of Data Breaches – Steps to Assist in Data Protection
There is no single solution for the protection of data and compliance with data protection laws. A whole of business approach is required. People are the most important part of the process and solution, followed by technology. Safeguards against unauthorised use, disclosure, theft, cyber-attacks, industrial espionage and sabotage of IT system have to be agile and updated to deal with increasing sophistication of cyber-attacks or cyber incidents.
Some steps that Organisations may consider taking to minimise risk and harm and to protect confidential information/data:
- Understand what type of data including confidential information and personal and sensitive information is collected and managed by the organisation and who is authorised to access this information. An audit of the organisational data collection and flow may be required. Legal advice may also be required.
- Undertake ongoing reviews and assessments of the organisational and technological data flows, storage (including location of storage) and risks.
- Have all staff sign non-disclosure/confidentiality agreements and provide appropriate training.
- Implement and update appropriate security measures for the protection of confidential information/data (including when emailing sensitive personal information). Measures and controls could include encryption, password protection, multi-facet authentication and monitoring data flows.
- Have a cyber-security expert assess and monitor your computer system for potential vulnerabilities to cyber-attacks and implement appropriate measures to deal with risks.
- Implement and update appropriate technological measures to deal with possible cyber threats including viruses, ransomware, malware, hacking and other cyberattacks.
- Develop and implement guidelines for ‘best practice’ post-breach communication to affected individuals for reduction of ‘harm’ to both the affected individuals and the entity;
- Keep up to date in relation to the latest scams and cyber threats including phishing emails and telephone calls requesting passwords and other personal information and keep management and employees updated. Useful resources for such updates include:
- Stay Smart Online – an online alert service which provides alerts on the latest threats and information on how to reduce the risk of cyber threats
- ACCC Scam watch
- Australian Cyber Security Centre (ACSC)
- Australian Cybercrime Online Reporting Network (Acorn)
- Ongoing education and training of management and employees – including on:-
- data handling practices;
- how to report suspected privacy breaches; and
- how to communicate a data breach to affected individuals – to minimise harm to the entity and the affected individuals.
Authored by Katarina Klaric, Principal, Stephens Lawyers & Consultants. The contribution of Rochina Iannella is acknowledged in the research and update of this Information Sheet.
© Stephens Lawyers & Consultants. 3 October 2018 – Updated 10 September 2021
This Information Sheet is not intended to be a substitute for obtaining legal advice.
For further information contact:
Stephens Lawyers & Consultants
All Correspondence to:
PO Box 16010
Collins Street West
Melbourne VIC 8007
Suite 205, 546 Collins Street
Melbourne VIC 3000
Phone: (03) 8636 9100
Fax: (03) 8636 9199
Email: [email protected]
[i] Privacy Act 1988(Cth) s 26 WE(2)
[ii] Office of the Australian Information Commissioner Notifiable Data Breaches Report: January to June 2021
[iii] Office of the Australian Information Commissioner Media Release ‘Data breach report highlights ransomware and impersonation fraud as concerns’, 23 August 2021; Office of the Australian Information Commissioner Notifiable Data Breaches Report: January to June 2021 at page 16
[iv] Office of the Australian Information Commissioner Notifiable Data Breaches Report: January to June 2021 at page 18
[vi] Office of the Australian Information Commissioner Notifiable Data Breaches Report: January to June 2021 at page 10
[vii] Office of the Australian Information Commissioner Notifiable Data Breaches Report: January to June 2021 at page 18
[viii] Office of the Australian Information Commissioner Media Release ‘Data breach report highlights ransomware and impersonation fraud as concerns’, 23 August 2021
[ix] Office of the Australian Information Commissioner Notifiable Data Breaches Report: January to June 2021 at page 19