Australian breach notifications increase in the second half of 2019 but continue to lag behind other nations
On 28 February 2020, the Office of the Australian Information Commissioner (OAIC) released its Notifiable Data Breaches Report for July to December 2019, which shows that notifications under the notifiable data breaches (NDB) scheme of the Privacy Act increased 17% compared to the first half of 2019.
In this Limelight, we assess key trends from the report, which remain broadly consistent from previous periods. While it is not surprising that the number of breaches notified continues to increase, the relative volume of notifications is still well behind other parts of the world. However, proposed reforms to the Privacy Act, amongst other things, may go some way into rectifying the discrepancy.
Notified data breaches
By way of a reminder, ‘eligible data breaches’ need to be notified under the NDB scheme. An ‘eligible data breach’ is a data breach where there is or likely to be unauthorised access to or disclosure of personal information that is reasonably likely to result in serious harm to any affected individuals.
As the data relates to APP Entities, it does not include public sector education institutions. Therefore, incidents such as the ANU Data Breach are not included in the OAIC reports.
Between July and December 2019, there were 537 breach notifications, which is:
- a 17% increase from the 460 notifications made between January and June 2019; and
- a 6% increase from the 507 notifications made between July and December 2018.
Causes of notified breaches
Of the 537 breaches notified:
- 64% (or 343 breaches) were caused by malicious or criminal attack;
- 32% (or 170 breaches) were the result of human error; and
- 4% (or 24 breaches) arose from system faults.
It is encouraging that the percentage of notified breaches resulting from human error in the second half of 2019 is the lowest it has been since the NDB scheme commenced.
However, as has previously been the case, a majority of the malicious or criminal attack notifications required a human element, which involved one or more individuals taking steps they ought not to have, such as responding to a malicious password request or a phishing email or engaging with emails linked to malware.
Concerningly, for 74 notified malicious or criminal attacks, how the malicious actor obtained the compromised credentials to access data could not be traced.
The statistics continue to demonstrate that the greatest vector of exposure to data breaches (and cyber incidents more broadly) for businesses is the human element. Businesses should look to improve their cyber security and data security training. This includes regular exercises and feedback to employees on spotting and disposing of phishing emails. Associated company policies, including around data handling, should also be regularly reviewed and tested.
In time, these measures will drive a culture in which cyber and data security is embedded.
Affected industry sectors
The health services, finance and legal, education and account & management services continue to be the most affected industries, as has effectively been the case since the inception of the NDB scheme.
As we have expressed previously, there are variety of reasons that may explain why these industries continue to be the most impacted, including the regularity in which organisations in those industries are required to deal with significant volumes of valuable personal information.
This makes organisations in these industries particularly susceptible to human error and likely targets for malicious actors. It is therefore especially important that these entities ensure they have proper cyber and data security measures in place that are regularly reviewed and tested.
Australia’s notification volumes in perspective
While the volume of notifications under the NDB scheme has increased, Australia’s notification rate continues to be significant lower than many European nations who are subject to the notification regime under the General Data Protection Regulation (GDPR). For example, a recent report into the GDPR set out that, for the period 28 January 2019 to 27 January 2020:
- Netherlands had 147.2 breach notifications per 100,000 people;
- Germany had 31.12 breach notifications per 100,000 people;
- The UK had 17.79 breach notifications per 100,000 people; and
- Poland had 13.74 breach notifications per 100,000 people.
In contrast, for the period 1 January 2019 to 31 December 2019, Australia had just 3.99 breach notifications per 100,000 people.
Some of the discrepancy could be attributed to differences in reporting triggers and potentially also indications of a drop in the number of attacks targeted at Australia and New Zealand in the past year.
However, these factors almost certainly do not account for extent of the disparity. We suspect there is a lack of breach reporting by organisations in Australia, which may in part be driven by the time frames for investigation and notification under the Privacy Act, the limited enforcement action taken to date and the significantly smaller penalties that could be imposed by, and enforcement options available to, the OAIC for breaches of the NDB scheme and Privacy Act.
European regulators have so far imposed more than €114,000,000 in fines under the GDPR, the largest of which was on Google by the French regulator. Separately, on 8 July 2019, the United Kingdom regulator issued a notice of an intention to fines British Airways more than €200,000,000 for breaches of the GDPR.
In contrast, the OAIC has not disclosed issuing any fines since the commencement of the NDB scheme arising out of breach notifications or investigations it has conducted. The OAIC has however just recently filed proceedings against Facebook Inc. on account of alleged data breaches arising out of the Cambridge Analytica saga. The outcome of this case may significantly impact the development of privacy laws in Australia.
Regulatory changes may impact notification volumes
In a previous article, we set out a range of proposed amendments to the Privacy Act, which provided for increased penalties and expanded enforcement powers and options to the OAIC to investigate and respond to breaches and breach notifications.
The measures also included additional funding for the regulator and the introduction of a statutory cause of action for affected individuals.
Once implemented, and provided the OAIC steps up its investigative action, these measures may provide the kick required to boost Australia’s notification rate so that it is comparable with other leading nations.
In the meantime, organisations must continue to build their cyber resilience by being better aware of their vulnerabilities and implementing strategies that improve policies and training around cyber and data security.