A snapshot of the notifiable data breach scheme over 12 months: trends, lessons learnt and hot tips

Key Points

• For the period April 2018 to March 2019 the OAIC reported receiving a total of 1,132 notifications under the NBD scheme and on a voluntary basis.

• In Australia, malicious or criminal attacks continue to be the main sources of data breaches with 60% of breaches notified during that period being attributable to such attacks

• The predominance in human factors in data breaches emphasises the importance of education/training, preventative technologies and effective response processes

The notifiable data breach (NDB) scheme was established by the passage of the Privacy Amendment (Notifiable Data Breaches) Act 2017 and came into operation on 22 February 2018.

Under the NDB scheme agencies and organisations regulated under the Privacy Act 1988 are required to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm to individuals whose personal information is involved in the breach. Many agencies and organisations not captured by the NDB scheme have elected to opt-in and undertake voluntary reporting as a measure of best practice.

The first year of the NDB scheme provided a good snapshot of how Australian entities are responding to challenges associated with protecting personal information. Key trends, detailed statistics and lessons learnt are set out in the ‘Notifiable Data Breaches Scheme 12-month Insights Reports’ (Report) issued by the OAIC.

For the period April 2018 to March 2019 (Period) the OAIC reported receiving a total of 1,132 notifications under the NBD scheme and on a voluntary basis.

Malicious or criminal attacks continue to be the main sources of data breaches with 60% of breaches notified during the Period being attributable to such attacks. Notably, phishing and spear phishing were the most effective methods by which entities were compromised. Human error accounted for 35% of notified breaches and systems fault for 5% of notified breaches. 

The vast majority of notified data breaches were small in scale and affected fewer than 1,000 people. Most notifications involved unauthorised access to or disclosure of contact information.

What do these trends mean for entities captured by the NDB scheme and those undertaking voluntary reporting? The predominance in human factors in data breaches emphasises the importance of education/training, preventative technologies and effective response processes.

The Report sets out the following five best practice tips:

1. Education: Training employees to identify and report email-based threats, have a basic understanding of account security and be aware of measures they can undertake to protect their devices. Mature organisations and those working in high-risk industries should also consider implementing dedicated training programs.
2. Preventative technologies: At the user level, entities should implement preventative technologies such as multi-factor authentication, encryption and secure data transfer technologies and proactive monitoring systems.
3. Preparation: Preparedness is key. All entities should adopt a suitable data breach response plan and undertake regular data breach simulations to test their preparedness.
4. Assessment: Each entity should have a deep understanding of its data holding and the effect that a data breach may have on its clients and customers
5. Post breach communication: In the aftermath of a data breach transparency and simplicity have been found to be imperative. Persons affected by data breaches responded most favourably to entities that communicated the incident in plain English and outlined what steps affected persons could take to protect themselves.