Lessons Learned from the Notifiable Data Breaches Scheme

Coinciding with the start of Privacy Awareness Week, the Office of the Australian Information Commissioner has released the Insights Report on the Notifiable Data Breaches Scheme, reviewing its first twelve months of operation.

The Notifiable Data Breach (NBD) Scheme introduced additional reporting obligations for public and private entities with existing information security obligations under the Privacy Act. The NBD focuses on requiring these entities to notify individuals when data breaches occur that could threaten the privacy of their information. With a strong emphasis on promoting transparency and accountability, the Insights Reports sheds light on current trends in data breaches and guides best practice in how to mitigate these risks.

Results

After its first twelve months, a total of 964 data breaches notifications have been reported. The Scheme has prompted a 712% increase in total notifications compared to the previous twelve months under the voluntary scheme. A closer look at the breakdown of breaches reveals the key sources of breaches are cyber-attacks and human error. 

Of the 964 notifications, 60% were attributable to malicious or criminal attacks, 35% to human error and 5% to system faults.

The leading cause of data breaches was phishing, where users’ credentials would be compromised. The prevalence of these attacks highlights the need for ongoing user education to empower customers to detect potential phishing attacks. Additional security measures including multi-factor authentication, anti-spoofing controls and education about password integrity are also key to strengthening resistance to such attacks.

The results also raise concerns about the major role that human error continues to play in data breaches. Accounting for over a third of total notifications in the previous 12 months, the fact that simple mistakes such as sending personal information to the wrong recipient accounted for one in ten breaches highlights the gap in training and support for employees. Reporting entities under the NBD Scheme should seek to improve internal process and technology for keeping customers’ personal information safe.

Recommendations

The Insights Report notes that continuing importance of the NBD Scheme in allowing for timely action to reduce harm arising from data breaches. Delays in reporting reduces opportunities a consumer would otherwise have to take steps to prevent harm from a breach.

In light of the Report, entities should seek to move beyond mere compliance and focus to proactively implementing effective consumer support. This proactivity should extend to cooperation and engagement with the OAIC, the development and implementation of data breach response plans, and continuing to meet and exceed security and privacy standards.

If you would like guidance in achieving compliance, please contact our privacy and data security team.