Data security in the spotlight

Over 60 data breach notifications were reported during the first six weeks of the new Notifiable Data Breaches (NDB) scheme. This is according to Office of the Australian Information Commissioner’s (OAIC) first quarterly report since the introduction of the scheme in February.

Just over half of the eligible data breach notifications received in the first quarter indicated that the cause of the breach was human error, said the OAIC’s acting Australian Information Commissioner and acting Privacy Commissioner, Angelene Falk. 

In the 2016–2017 financial year 46% of the data breach notifications received by the OAIC voluntarily were also reported to be the result of human error, said Falk.

“This highlights the importance of implementing robust privacy governance alongside a high standard of security. The risk of a data breach can be greatly reduced by implementing practices such as Privacy Impact Assessments, information security risk assessments and training for any staff responsible for handling personal information.”

The NDB scheme requires entities to notify individuals and the commissioner when their personal information is involved in a data breach that is likely to result in serious harm. These data breaches are referred to as ‘eligible data breaches’.

Failure to comply with the scheme can attract fines of up to $2.1 million.

“A data breach notification provides individuals with the chance to take steps that reduce their risk of experiencing harm, such as changing relevant passwords for online accounts. This can reduce the overall impact of a breach. More broadly, the transparency provided by the NDB scheme reinforces Australian Government agencies’ and businesses’ accountability for personal information protection and encourages a higher standard of security,” said Falk.

“Over time, the quarterly reports of the eligible data breach notifications received by the OAIC will support improved understanding of the trends in eligible data breaches and promote a proactive approach to addressing security risks.”

Most small businesses with an annual turnover of less than $3 million do not have to comply with the Privacy Act and therefore with the NDB, according to the Australian Industry Group (Ai Group). However, there are numerous exceptions, the group said. “A small business with an annual turnover of $3 million or less will have to comply with the NDB if it is: a health service provider; trading in personal information (eg, buying or selling a mailing list); a contractor that provides services under a Commonwealth contract; a reporting entity for the purposes of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth);  an operator of a residential tenancy database; a credit reporting body; employee associations registered or recognised under the Fair Work (Registered Organisations) Act 2009 (Cth); businesses that conduct protected action ballots; businesses that are related to a business that is covered by the Privacy Act; businesses prescribed by the Privacy Regulation 2013; or businesses that have opted in to be covered by the Privacy Act,” said the Ai Group in a statement alerting its members about the scheme. If an organisation has an annual turnover of $3 million or less and meets one of the above criteria, the NDB will apply to that organisation or some aspects of it, according to the group.

According to law firm MinterEllison’s ‘Perspectives in Cyber Risk 2018’ research report released prior to the introduction of the scheme, only 54% businesses had a cyber risk response plan in place. This is despite more than a third indicating that they were subject to at least one cyber incident in the last 12 months that compromised their systems or data.

MinterEllison Partner Paul Kallenbach, Head of Cyber Security, said, “There is a distinct risk for those not prepared, given that cyber incidents are occurring — and will continue to occur — with ever greater frequency, severity and impact.”

The firm recommends organisations focus on understanding and documenting their data and information flows; prepare, test and update their incident response plans; and provide regular training to staff at all levels, said Kallenbach. It’s vital they do this, as cyber attacks are here to stay and pose a serious risk issue for government and business, he said.

“This year’s report shows there was a decrease in the percentage of organisations that say they audit their suppliers’ IT security practices at least annually (from 34% in 2016 to 21% in 2017) and, in an environment of increasing adoption of cloud services, that’s also a key area where risk management for cyber should be focused,” said Kallenbach.

Veronica Scott, leader of MinterEllison’s National Privacy Group, said the Cyber Risk report echoes the advice of Timothy Pilgrim, Australian Information Commissioner and Australian Privacy Commissioner, who has expressed the view to the firm that, “If an entity knows what information it holds, who handles it, who is responsible for it, where it is held and how it is protected, then the entity can ensure its data breach response plan is as effective as possible.”

“An important finding from this year’s report is that the uptake of cyber insurance continues to rise (from 39% in 2016 to 62% in 2017),” noted Leah Mooney, Special Counsel in MinterEllison's Insurance & Corporate Risk team. “However, whilst cyber insurance is a useful risk management measure for many organisations, it is important to recognise it is not a panacea and must form part of a wider toolkit of cyber risk management measures.”

Image credit: ©stock.adobe.com/au/monsitj