2018 review – Lifting the lid on Australian data breaches

During this Privacy Awareness Week, the Office of the Australian Information Commissioner (OAIC) has published its first Insights report on the Notifiable Data Breach (NDB) scheme.

The NDB scheme requires agencies and organisations under the Privacy Act 1998 (Cth) to report data breaches which are likely to cause serious harm to individuals whose personal information is involved in the breach.

Since 2018, the OAIC has been collecting data and publishing quarterly reports about the NDB scheme. The Insights report provides information on sources of data breaches, which industries they are targeting and any emerging trends.

Snapshot of the 2018 report

This year, the OAIC has reported that in 2018:

  • 964 number of breaches in total;
  • 712% increase in notifications since the introduction of the NDB when compared to the previous voluntary scheme;
  • 60% of data breaches were malicious or criminal attacks;
  • 83% of data breaches affected fewer than 1,000 people;
  • 35% of data breaches were committed by human error;
  • 55% of health sector data breaches were due to human error; and
  • 41% of finance sector data breaches were due to human error.

Findings from the report

The report provides valuable insight for organisations to learn how to manage and develop strategies around data breaches. Data has indicated that most data breaches involve human factors (e.g. sending an email to the wrong person or clicking on a phishing email).

Organisations should ensure that employees are well trained, systems are up-to-date and there are policies in place to handle data breaches. It is important that businesses have a clear understanding of what is considered as a data breach and if any such data breach is considered to be a notifiable data breach.  A failure to take the appropriate steps can have significant negative reputational and financial consequences. Organisations which delay or fail to notify eligible data breaches will face regulatory action from the OAIC.

Macpherson Kelley is experienced in providing strategic advice in relation to data breaches and can assist your business in ensuring compliance with the NDB scheme, and the wider privacy compliance regime more generally.

Macpherson Kelley is also the only Australian member of international alliance PrivacyRules Ltd., allowing us to draw on local expertise relating to privacy compliance, cybersecurity and data protection matters in the overseas jurisdictions where our clients do business.

If you would like any further information regarding the application of privacy laws to your business, please contact Kelly Dickson or Jason Kaye.

This article was written by Jai Manoharan, Law Graduate.