Notifiable Data Breaches first Quarterly report released

The Office of the Australian Information Commissioner (OAIC) has published the first quarterly report on data breach notifications received under the Notifiable Data Breaches (NDB) scheme, which came into force on 22 February 2018.

The OAIC received 63 data breach notifications under the scheme during the first six weeks of the scheme’s operation. In the 2016–17 financial year, the OAIC received a total of 114 data breach notifications on a voluntary basis.

The OAIC’s acting Australian Information Commissioner and acting Privacy Commissioner, Angelene Falk, said, “Just over half of the eligible data breach notifications we received in the first quarter indicated that the cause of the breach was human error. In the 2016–2017 financial year 46 per cent of the data breach notifications received by the OAIC voluntarily were also reported to be the result of human error.”

“This highlights the importance of implementing robust privacy governance alongside a high-standard of security. The risk of a data breach can be greatly reduced by implementing practices such as Privacy Impact Assessments, information security risk assessments, and training for any staff responsible for handling personal information.”

Gerry Power, National Head of Sales for specialist underwriting agency Emergence, said the statistics were “frightening” and  warned that the NDB scheme meant companies could not keep silent on data breaches because notification to OAIC is now mandatory.

Key statistics from the first quarterly report include:

  1. Top five sectors that notified the OAIC of eligible data breaches included health service providers (24 per cent of notifications), legal, accounting and management services (16 per cent), finance (13 per cent), private education (10 per cent), and charities (6 per cent).
  2. 78 per cent of eligible data breaches were reported to involve individual’s contact information. 33 per cent were reported to involve health information and 30 per cent to involve financial details.
  3. 51 per cent of the eligible data breach notifications received indicated that the cause of the breach was human error. 44 per cent of breaches were reported to be the result of malicious or criminal attack, and 3 per cent the result of system faults.
  4. 59 per cent of data breach notifications reported that the personal information of between one and nine individuals was affected. 90 per cent of data breach notifications related to breaches involving the personal information of less than 1,000 individuals.

You can read the full report here.