The Office of the Australian Information Commissioner (OAIC) this week released its 12-month Insights Report for the Notifiable Data Breach (NDB) Scheme (Report). The Report shows trends and noteworthy statistics from 1 April 2018 to 31 March 2019, reporting an uptick in notifications and identifying the most common cyber trends leading to a requirement to notify.
The OAIC notes that many entities have taken a proactive approach to engage with the OAIC and it has observed efforts by many organisations to lift their practices.
As a key message, the OAIC encourages entities to move “beyond compliance” to effectively support consumers. The Report states that it is those entities who focus on the consumer and navigate beyond compliance to support affected individuals to take steps to minimize or prevent harm in a meaningful way who will differentiate themselves and maintain trust over time.
The Report sets out the OAIC’s approach over the next year. Interestingly, the Report states that the OAIC will take a “proportionate and evidence-based regulatory approach” in relation to the NDB scheme, including by exercising enforcement powers where necessary. This suggests that, after a year of settling in, we may see an increase in the cases where the OAIC elects to use its enforcement powers where it thinks it is necessary.
Statistics
Since the introduction of the NDB scheme, data breach notifications to the OAIC rose by 712% (compared to the previous voluntary disclosure regime).
Of 1,132 total notifications in the past year, 964 were eligible data breaches. Of these:
- 60% resulted from malicious or criminal attacks;
- 35% resulted from human error; and
- 5% resulted from system faults.
Within the 60% (580) of breaches resulting from malicious attacks, 68% (394) were attributed to incidents resulting from common cyber threats such as phishing, malware, ransomware or brute force attacks. The remaining 32% (186) were attributed to theft of paperwork or a storage device, social engineering fraud, and rogue employee behavior.
Credential compromise and phishing
Phishing alone accounted for 152 notifiable data breaches.
The Report draws specific reference to the vulnerabilities of business, particularly as phishing threats seeking access to users’ credentials (i.e. usernames and passwords) become more sophisticated and widespread. The report encouraged entities to:
- Educate users on how to detect phishing emails;
- Implement multi‑factor authentication;
- Implementing anti‑spoofing controls; and
- Educate users about password re‑use and security measures (for example, password managers and services such as ‘Have I Been Pwned’ to detect compromised accounts).
Human error
The second-highest source of data breaches was human error (35%). Within this category, the three highest causes were incorrect email recipients (97 breaches), unauthorized disclosure of information (62 breaches) and loss of paperwork or storage devices (46 breaches).
Again, the OAIC pointed to the need for education and training for employees who handle personal information, and strongly suggested businesses employ measures such as two-factor authentication and password control.
Size of breaches
Most notifiable breaches impacted only a small number of individuals – 83% of all breaches affected fewer than 1,000 people. The report considered this may reflect the prevalence of poor workplace practices by one employee, resulting in scenarios where dozens of records are breached rather than major data loss incidents from single system compromise.
Types of data
The most prevalent form of data forming the subject of notifiable breaches was contact information (833 notifications), followed by financial information (433) and identity information (328). Others included health information (249) and tax file numbers (184).
The Commission highlighted that while most entities understand the difference in likely risk of harm between some types of information – i.e. contact information versus financial information – the most challenging obstacle was assessing the risk of harm or potential harm, and quantifying that harm.
Breach reporting time
The average time taking to report a data breach ranged between 17 and 26 days.
However, the Report stated that, on average, it takes 90 days for a breached organisation to detect the initial data breach event, and 28.25 days more to notify individuals of the data breach.
What can we learn from the Report?
Harm minimisation was the key issue pointed to by the report, with recommendations for entities to understand the importance of the data they hold and proactively contemplate steps to genuinely protect consumers from further harm in the event of a data breach.
This includes the needs to put individuals first following a breach. Studies showed that entities who experienced a breach and communicated to affected individuals using plain English and a clear explanation of the impacts of the breach received much higher customer feedback scores.
The report concluded with ‘five best practice notifiable data breach tips for entities’:
1 People and training
Employees should be trained on how to detect and report email based threats (such as phishing), understand basic account security (such as secure passwords) and how to protect their devices.
2 Preventative technologies and processes
Entities should prioritise investments in improving their overall security posture in line with known security risks. Where necessary, they should engage expert security advice.
3 Preparation
Entities should prepare a data breach response plan. A response plan provides practical guidance on how to reduce the impact of a data breach, meet obligations under the NDB scheme and support individuals to reduce harm.
4 Assessment of harm
Entities that deeply understand their data holdings and how data breaches could impact their customers (and other individuals with whom they deal) will be best placed to assess whether a data breach is notifiable or not following an incident.
5 Post-breach communication
Consumers have responded most favourably following a breach to those organisations that communicated in plain English about what had occurred and the steps they needed to take to protect themselves.