The Office of the Australian Information Commissioner (the OAIC) has released its second Quarterly Statistics Report (the Report) on the mandatory notifiable data breaches (NDB) scheme. The finance sector was the third-highest reporter of NDBs with 30% of breaches including financial details and a majority (78%) of those breaches also including contact information.

The Australian financial sector has acknowledged eight breaches of customer data privacy since mandatory reporting began on 22 February 2018. There were 242 total data breaches reported in the last quarter – a marked increase from the 63 data breaches reported in the first quarter report of the regime. This brings the total number of data breaches reported to 305 since the commencement of the scheme on 22 February 2018.

The NDB Scheme: An Eligible Data Breach

The NDB Scheme prevents organisations from concealing eligible data breaches if the breach is considered to result in serious harm to the affected person(s).  Under section 26WE of the Privacy Act 1988 (Cth) (the Act), an eligible data breach occurs where:

  • there is an unauthorised access or unauthorised disclosure of information and a reasonable person would conclude that access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates; or
  • information is lost in circumstances where such unauthorised access or disclosure is likely to occur and a reasonable person would conclude that, assuming such access or disclosure did occur, it would be likely to result in serious harm to any individuals to whom that information relates.

The OAIC has produced new guidelines to assist organisations in Identifying Eligible Data Breaches and Entities covered by the NDB Scheme.

Notification to the OAIC

Once an organisation forms the view, based on reasonable grounds, that there has been a NDB, it must:

  • prepare a statement in accordance with the Act, and
  • give a copy of the statement to the OAIC as soon as practicable after the organisation becomes aware of the NDB.

The organisation must notify the contents of that statement to the affected individuals as soon as practicable. The OAIC has produced guidance on How to Notify the OAIC and a new Data Breach Response Summary.

The Report found malicious or criminal attacks accounted for 59% of NDBs, with theft of paperwork or storage devices a significant source of those attacks. Human error accounted for 36% of NDBs.

Cyber Resilience

The Report stated that, “Malicious or criminal attacks usually involve the theft of personal information, or cyber security incidents resulting from unauthorised access to an entity’s systems.”

Cyber security refers to the body of technologies, processes and practices employed in an organisation which are designed to protect networks, devices, programs and data from attack, damage or unauthorised access. Cyber security measures are generally designed to protect organisations from cyber risks, including:

  • malware
  • phishing/ransomware
  • denial of service attacks
  • human error, and
  • compromised systems.

A recent ACCC report has suggested that a cyber security attack can cost between one and five thousand dollars, with much of the money being unrecoverable after the event. Of even greater significance is the reputational damage which can be sustained.

The issue of cyber resilience is often delegated to IT teams or outsourced to external providers. However, as indicated in ASIC Report 555 Cyber resilience of firms in Australia’s financial markets, managing cyber resilience is very much a  governance issue to be managed through strong corporate governance principles. Developing an overall governance framework, which includes procedures to identify, protect, detect, respond and recover from cyberattacks will assist any organisation to lay solid foundations as part of a robust cyber resilience program.

How CompliSpace can help

In response to the introduction of the NDB Scheme, CompliSpace has developed a detailed suite of policies and procedures, including a DBR Plan and online training content that address the provisions under the legislation in our Privacy Module. CompliSpace is also currently developing a complete set of policies and procedures for cyber resilience as part of our overall governance package. If you are interested in either of these modules, please do not hesitate to contact us.

CompliSpace works with businesses to tailor compliance and risk management systems to a company’s individual needs and characteristics, ensuring meaningful compliance with their legal and regulatory obligations.

Contact Details

P: +61 (2) 9299 6105 (Sydney) / +61 (8) 9288 1826 (Perth)

E: contactus@complispace.com.au

W: www.complispace.com.au