Privacy compliance and data breach risk management are too often not taken seriously enough by Australian organisations – but businesses cannot afford to be complacent about privacy compliance. The Office of the Australian Information Commissioner (OAIC) expects organisations to be compliant and to have security measures in place to minimise the risk of a data breach. Organisations also need to be aware of their mandatory privacy breach obligations under the Notifiable Data Breach scheme.[i] The recent increase in penalties for repeated or serious privacy breaches – from AU$2.22 million to the greater of AU$50 million, or three (3) times the value of any benefit obtained through the misuse of information, or 30 percent of a company’s adjusted turnover in the relevant period – means that privacy compliance should be a priority for all organisations and businesses that collect or hold Australians’ personal information.
The OAIC’s latest Notifiable Data Breaches Report for the six months ending 31 December 2023[ii] (OAIC Report) reveals an added risk for organisations that outsource the handling of personal information to third party service providers and contractors – with a large increase in the number of multi-party (or secondary) breaches resulting mainly from breaches of a cloud or software provider.[iii]
The last six month period (ending 31 December 2023) has also seen a significant increase in the number of data breaches affecting more than one/multiple entities resulting in the OAIC receiving multiple (secondary) notifications relating to the same incident[iv] – with a corresponding increase in the complexity, scale and impact of data breaches.[v] In addition, recent data breaches highlight the risks of retaining personal information for longer than needed. The more personal information an entity holds, the greater the possible scale and complexity of a data breach.[vi]
The increasing complexity of organisational structures and IT business systems in many instances results in management not knowing what data is collected by the business as a whole and how the data is managed and stored. Privacy policies often do not accurately reflect how the organisation manages personal information, that is:
- The kind of personal information that the organisation collects and holds;
- How the organisation collects and holds the personal information;
- The purpose for which the organisation collects, holds, uses and discloses personal information;
- For how long the personal information is needed by the organisation and whether/when it should be destroyed or deidentified;
- Whether the organisation outsources the handling of personal information to third party service providers and contractors;
- Whether the personal information is likely to be disclosed to an overseas recipient and where that recipient is located;
- How individuals can access information about them and seek correction or lodge a complaint about a breach.
Data breaches can have significant impact on the businesses and result in:
- Business disruption
- Significant costs in responding to a data breach
- Reputational damage
- Loss of valuable intellectual property/confidential information
- Loss of business and revenue
- Reduction in capital/share value of the business
- Substantial costs in regaining consumer confidence that the organisation can be trusted with personal information/data
- Regulatory fines and penalties
- Compensation claims by individuals/class actions.
OAIC Data Breach Statistics
The NDB scheme under the Australian Privacy Act commenced on 22 February 2018. The scheme requires mandatory notification by organisations[vii] of a privacy data breach that is likely to result in “serious harm” to the individual whose personal information held by that organisation has been the subject of an unauthorised access, disclosure or loss of personal information.[viii]
The OAIC, which is responsible for compliance with the NDB scheme, has recently published its half-yearly Report for the period from July to December 2023.[ix]
The OAIC Reports provide statistics of notifiable data breaches together with valuable insights and learnings on the trends emerging under the NDB scheme. These statistics also provide very useful information for the risk assessment and potential organisational exposure to data breaches.
During the 6 months from 1 July 2023 to 31 December 2023 the OAIC received 483 primary notifications of eligible data breaches under the NDB scheme – a 19% increase in the number of data breach notifications, compared to the previous 6-month period. In addition to the 483 primary notifications, the OAIC received 121 ‘secondary notifications’ – significantly more than the 29 secondary notifications received during the previous 6 month reporting period.[x] The highest number of notifications during the period were received during the month of December (97 notifications). The leading source of all data breach notifications (322 notifications or 67% of all notifications) was again attributed to malicious or criminal attack– with the majority of these (44% or 211 notifications) resulting from cyber security incidents.[xi]
Once again, the majority of notified breaches during this period affected fewer than 100 people (65% of all notifications) – with 207 of these notifications impacting 1 to 10 individuals. There were also 41 breaches that affected over 5,000 Australians during this period, compared with 28 during the last reporting period – while three (3) of the data breaches impacted one million or more Australians’ personal information[xii].
Other key findings and trends during the 6-month period ending 31 December 2023 include: –
- Twenty-two (22) of the 26 breaches that affected over 5,000 Australians were caused by cyber incidents;
- The top two (2) data breach reporting sectors (under the NDB scheme) were, once again, Health service providers (104 notifications) followed by Finance (49).
- Across all sectors, and consistent with previous reporting periods, the majority of notified data breaches (88%) involved ‘contact information’ (such as an individual’s home address, phone number or email address) while 63% of the notified data breaches involved ‘identity information’ (such as an individual’s passport and/or driver licence numbers or other government identifiers). In addition, 41% of notified data breaches involved ‘health information’ – surpassing ‘financial details’ which was third during the last reporting period.
- During this reporting period 64% of breaches were reported within 10 days of the breach occurring while 23% were reported over 30 days of it occurring and 2% took greater than 12 months to be notified. Human error breaches were the fastest to be notified while system fault breaches were the slowest.[xiii]
- Malicious or criminal attacks and human error continue to be the cause of the majority of the reported breaches.
- There was a significant increase in the number of data breaches attributed to human error (compared to the previous 6-month period) – 144 notifications, up from 107.
- During this reporting period 17% of malicious or criminal attack data breaches were caused by social engineering or impersonation while actions taken by a rogue employee or insider threat accounted for 11%, and 7 % resulted from theft of paperwork or data storage device.
The major causes of human error breaches during this reporting period include:
- Personal information sent to the wrong recipient by email (33%) or by mail (10%).
- Unauthorised disclosure (unintended release or publication or failure to redact) – (20%), and unauthorised verbal disclosure (8%).
- Failure to use ‘BCC’ when sending emails –8%.
- Loss of paperwork/data storage device (9%); and
- Insecure disposal of personal information (1%).
In many cases unauthorised disclosure of confidential information or data occurs because employees do not have an adequate understanding of the type of data/information that is protected under the Privacy Act and other laws for the protection of confidential information/data and the organisation’s obligations under those laws in relation to data protection from unauthorised disclosure, use and loss.
Many of the human error data breaches can be avoided by appropriate ongoing staff training in data protection and privacy compliance and handling of information.
Minimising Risk of Data Breaches – Steps to Assist in Data Protection
There is no single solution for the protection of data and compliance with data protection laws. A whole of business approach is required. People are the most important part of the process and solution, followed by technology. Safeguards against unauthorised use, disclosure, theft, cyber-attacks, industrial espionage and sabotage of IT systems have to be agile and updated to deal with evolving and increasing sophistication of cyber-attacks or cyber incidents.
There are also additional risks to be considered where an organisation outsources the handling of personal information to service providers and contractors.
Some steps that Organisations may consider taking to minimise risk and harm and to protect confidential information/data:
- Understand what type of data, including confidential information and personal and sensitive information, is collected and managed by the organisation and who is authorised to access this information and whether the collection is necessary. An audit of the organisational data collection and flow may be required. Legal advice may also be required.
- Undertake ongoing reviews and assessments of the organisational and technological data flows, storage (including location of storage) and risks – as well as ongoing reviews of whether personal information is still needed and if it should be destroyed or deidentified.
- Consider establishing and implementing a data retention policy.[xiv]
- Have all staff sign non-disclosure/confidentiality agreements and provide appropriate training – including encouraging staff/employees and customers to use strong passphrases to protect their accounts.[xv]
- Organisations/employers that have staff/employees/contractors working remotely or in hybrid work and related working environments should consider conducting a privacy impact assessment to identify and address risks arising from these employees’ and contractors’ work environments.
- Ensure that the organisation’s information governance framework covers contractors and third-party service providers that have access to or handle personal information on the entity’s behalf and that appropriate agreements are in place that address data protection and personal information handling obligations including data breach response requirements, defined data retention periods and processes for destroying or de-identifying data. [xvi].
- Implement and update appropriate security measures for the protection of confidential information/data (including when emailing sensitive personal information). Measures and controls could include identity management, encryption, password protection, multi-facet authentication and monitoring of data flows. Organisations are encouraged to remain vigilant and to review and strengthen their access security measures.[xvii]
- Have a cyber-security expert assess and monitor your computer system for potential vulnerabilities to cyber-attacks and implement appropriate measures to deal with risks.
- Implement and update appropriate technological measures to deal with possible cyber threats including viruses, ransomware, malware, hacking and other cyberattacks.
- Develop and implement a data breach response plan which implements the requirements of the NDB scheme and includes guidelines for ‘best practice’ post-breach communication to affected individuals for reduction of ‘harm’ to both the affected individuals and the entity. The data breach response plan should recognise and reflect that “a key objective of the NDB scheme is to ensure individuals are promptly told of data breaches so they can quickly take steps to minimise their risk of harm”[xviii];
- Keep up to date in relation to the latest scams and cyber threats including identification/impersonation fraud or social engineering, phishing emails and telephone calls requesting passwords and other personal information and keep management and employees updated. Useful resources for such updates include:
- Stay Smart Online – an online alert service which provides alerts on the latest threats and information on how to reduce the risk of cyber threats
- ACCC Scamwatch
- Australian Cyber Security Centre (ACSC) – including the ACSC’s cyber security defence strategies guidance[xix], cyber incident response plan guidance, template and checklist[xx];
- Australian Cybercrime Online Reporting Network (Acorn)
- Office of the Australian Information Commissioner (OAIC) – including the OAIC’s guidance on securing personal information[xxi] and on data breach preparation and response[xxii]
- Australian Securities & Investments Commission (ASIC) – including ASIC’s guidance on cyber security resilience[xxiii]
- Australian Government Department of Home Affairs/Cyber and Infrastructure Security Centre – guidance for corporate leaders on their cyber security obligations, including obligations under the Privacy Act and NDB scheme.[xxiv]
- Education and training of management and employees on commencement and then, at least annually – including on: –
- data handling practices;
- how to report suspected privacy breaches; and
- how to communicate a data breach to affected individuals – to minimise harm to the entity and the affected individuals.
Disclaimer: This legal update is not intended to be a substitute for obtaining legal advice.
Authored by Katarina Klaric, Principal, Stephens Lawyers & Consultants. The contribution of Rochina Iannella, Lawyer, is acknowledged in the research and update of this Legal Update.
© Stephens Lawyers & Consultants. 3 October 2018 – Updated by Rochina Iannella on 12 September 2020, 10 August 2021, 2 May 2023, 28 November, 2023 – and this Update on 9 April 2024
For further information contact:
Katarina Klaric
Principal
Stephens Lawyers & Consultants
Melbourne Head Office
Suite 205, 546 Collins Street, Melbourne VIC 3000
Phone: (03) 8636 9100
Sydney Office
Level 29, Chifley Tower, 2 Chifley Square, Sydney, N.S.W. 2000
Phone: (02) 9238 8028
Email: [email protected]
Website: www.stephens.com.au
All Correspondence to:
PO Box 16010
Collins Street West
Melbourne VIC 8007
To register for newsletter updates and to send your comments and feedback, please email [email protected]
[i] Office of Australian Information Commissioner, Media Release “Data breach report highlights supply chain risks”, 22 February 2024
[ii] Office of the Australian Information Commissioner Notifiable Data Breaches Report: July to December 2023 – Published 22 February, 2024 – Notifiable Data Breaches Report: July to December 2023 | OAIC
[iii] Ibid.
[iv] Notifications relating to the same incident were counted as a single notification in this NDB Report to avoid information being duplicated. – Office of the Australian Information Commissioner Notifiable Data Breaches Report: July to December 2023 at Page 28
[v] Office of Australian Information Commissioner, Media Release “Data breach report highlights supply chain risks”, 22 February 2024
[vi] Office of the Australian Information Commissioner Notifiable Data Breaches Report: July to December 2023 – at Page 13
[vii] Under the scheme, any organisation or government agency covered by the Privacy Act 1988 (Cth) that experiences an eligible data breach must notify affected individuals and the OAIC.
[viii] Privacy Act 1988(Cth) s 26 WE(2)
[ix] Office of the Australian Information Commissioner Notifiable Data Breaches Report: July to December 2023 – Op cit.
[x] Ibid. at Page 5
[xi] Office of Australian Information Commissioner, Media Release “Data breach report highlights supply chain risks”, Op cit.
[xii] Ibid. at Page 10-11
[xiii] Office of the Australian Information Commissioner Notifiable Data Breaches Report: July to December 2023 – Op cit. – at Page 15
[xiv] Office of the Australian Information Commissioner Notifiable Data Breaches Report: July to December 2023 – at Page 13
[xv] Ibid. at Page 24
[xvi] Office of the Australian Information Commissioner Notifiable Data Breaches Report: July to December 2023 – See Page 29 for OAIC’s recommendations on steps to be taken by organisations prior to using third party service providers.
[xvii] Office of the Australian Information Commissioner Notifiable Data Breaches Report: July to December 2023 at Page 16
[xviii] Office of the Australian Information Commissioner Notifiable Data Breaches Report: July to December 2023 – at Page 19
[xix] https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight
[xx] https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/publications/cyber-incident-response-plan
[xxi] https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/handling-personal-information/guide-to-securing-personal-information
[xxii] https://www.oaic.gov.au/privacy/privacy-guidance-for-organisations-and-government-agencies/preventing-preparing-for-and-responding-to-data-breaches/data-breach-preparation-and-response
[xxiii] https://asic.gov.au/regulatory-resources/corporate-governance/cyber-resilience/
[xxiv] Overview of Cyber Security Obligations for Corporate Leaders (cisc.gov.au)