Update on Australia’s Notifiable Data Breaches scheme

Authors: Tim Clark and Andrew Barling

In our earlier article ‘Data Breach Response Planning: Getting Down to Business’ we referred to the introduction of a mandatory new Notifiable Data Breaches (NDB) scheme in Australia and outlined some steps organisations could take to prepare. The changes were introduced by the Privacy Amendment (Notifiable Data Breaches) Act 2017 (Cth). The new law requires entities covered by the Privacy Act 1988 (Cth) to notify both the Office of the Australian Information Commissioner (OAIC) and affected individuals of any data breach in respect of personal information they hold where the breach is likely to result in serious harm.

We are now seeing how the mandatory NDB scheme is operating in practice. The OAIC has just released its second quarterly statistical report on notifications under the NDB scheme (NDB Report). You can access their news release and a link to the Report here.

Tim Clark, Partner, and Andrew Barling, Senior Associate, summarise the Notifiable Data Breaches Report.

Overview

The NDB Report indicates that a total of 242 notifications were received in the quarter ending 30 June 2018. Although this is the OAIC’s second such report, the previous report only covered a period of a few weeks (and reported 63 notifications). So, this NDB Report represents the first full quarter of data since the NDB scheme commenced on 22 February 2018.

Chart1

The single largest cause of data breaches that were reported in the quarter was malicious or criminal attack (59%), followed by human error (36%). The cause of the remaining 5% of data breaches was notified to be system faults.

Malicious or criminal attack

Malicious or criminal attacks are those deliberately crafted to exploit known vulnerabilities for financial or other gain. The single largest type of malicious or criminal attack were described as “cyber incidents”. These include phishing, malware, ransomware, brute-force attack, compromised or stolen credentials (e.g. user ID and password) and hacking by other means. It includes social engineering attacks (where an outside attacker manipulates personnel inside the organisation usually to avoid standard security protocols) or impersonation or actions taken by a rogue insider.

One of the most common forms of cyber attacks is phishing. Phishing involves an attempt by an attacker to trick a person into disclosing personal information such as bank accounts, login IDs, passwords or credit card numbers by pretending to be contacting them from a legitimate source. It is a relatively common form of cyber attack and can lead to significant financial fraud: see the Australian Competition and Consumer Commission’s Scamwatch report for more details. It is no surprise that the data reveals a large number of phishing attacks: humans are often a weak link in an organisation’s security systems. However, this should not necessarily be seen as a criticism of staff in general. Phishing attacks are becoming increasingly sophisticated, with attackers often undertaking research on target organisations leading to more apparently genuine correspondence, often targeting specific individuals or roles within organisations.

Read the entire article.