The Office of the Australian Information Commissioner (OAIC) just released the following latest notifiable data breach statistics from 1 July to December 2019:
- 537 notifications (increased from 460 between 1 January and 30 June 2019)
- 32% of these due to human error (down from 34% in the last reporting period)
- 64% of these due to malicious or criminal attacks – this remains the leading cause of data breaches across Australia.
- 4% of these are system faults.
Whilst not the largest reporting sector, private education providers were responsible for 9% of all breaches, which is arguably an over-representation from the sector. Of these breaches, 61% were due to a malicious or criminal attack. Four percent of all breaches were committed by entities in the “personal services” sector, which includes community services and childcare centres. The highest reporting sector was the health sector, notifying 22% of all breaches.
What is an eligible data breach?
Under the Notifiable Data Breach Scheme, a data breach is ‘eligible’ where:
- there is unauthorised access or an unauthorised disclosure of personal information;
- a reasonable person would conclude that it is likely to result in serious harm to any of the individuals whose personal information is involved in the data breach; and
- the entity has not been able to prevent the likelihood of serious harm through remedial action.
Where do organisations need to be the most careful?
- The report emphasised that there is a huge risk relating to the transmission of sensitive data via email, including the risk of harm to individuals whose personal information is emailed to the wrong recipient. The OAIC has therefore recommended that organisations consider additional security controls when emailing sensitive and other personal information, for example, putting password protection on these files.
- Organisations should be careful to ensure that their privacy, information handling and security practices are watertight, up to date and consistent with relevant regulations and best practice.
- Policies should be clear on what kind of information should be stored and shared via email, including how this information will be protected. in an attempt to ensure that information is contained.
How Moores can help
Moores can assist with drafting or reviewing current policies and procedures to ensure that they are tailored to your organisation’s needs and consistent with best practice to minimise risk and liability. For more information, please do not hesitate to contact us.