One third of data breaches caused by human error
With the Notifiable Data Breaches (NDB) scheme revealing more than a third of all data breaches in the last year were due to human error, this underscores the importance of effective training, processes and technologies to support data protection in the future.
Introduced in February 2018, the NDB scheme requires entities to notify the Office of the Australian Information Commissioner (OAIC) and individuals if a data breach involving their personal information is likely to result in serious harm.
Statistics from the 12-month Insights Report, released by the OAIC, revealed that 964 data breaches were reported from 1 April 2018 to 31 March 2019. This marks a 712% increase in notifications compared with the previous 12 months under the voluntary scheme, which the report said is “a clear sign of their awareness of, and compliance with, the NDB scheme”.
Of the 964 notifications, 60% were due to malicious or criminal attacks, 35% were human error and 5% were system faults. The report also revealed the health sector reported the most data breaches, and human error accounted for 55%.
Phishing was found to be the leading cause of data breaches (153), while 97 breaches were the result of personal information being emailed to the wrong recipient.
Australian Information Commissioner and Privacy Commissioner Angelene Falk called on regulated entities to heed the lessons from the NDB scheme’s first year of operation.
“Our report shows a clear trend towards the human factor in data breaches — so training and supporting your people and improving processes and technology are critical to keeping customers’ personal information safe,” she said.
Training employees was recognised as one of five best practice notifiable data breach tips for entities. The report suggested: all employees should be trained on how to detect and report email‑based threats (such as phishing), understand basic account security (such as secure passwords) and how to protect their devices; a dedicated training program comprising face‑to‑face training and e-learning; and entities should consider their broader workforce, including contractors, when setting awareness strategies.
Other best practice tips were: preventative technologies and processes, such as multi-factor authentication; effective preparation, such as a data breach response plan; an assessment process that can determine whether a data breach is notifiable or not; and post-breach communication that promotes transparency and simplicity.
After more than 12 months in operation, entities should now be well equipped to meet their obligations under the scheme, Falk said. Her office has worked with more than 1000 organisations that notified a breach, helping to ensure they were contained and measures were put in place to prevent a recurrence.
“This approach has been successful in elevating the security posture in those organisations and increasing transparent and accountable personal information handling practices,” she said.
The OAIC will continue to take a proportionate and evidence‑based regulatory approach to data breaches, exercising enforcement powers where necessary.
Moving forward, organisations should move beyond a purely compliance mindset and view data protection as an opportunity to enhance consumer trust, the report concluded.
Over the past decade, industry response to human error has been to reduce the number of humans...
We've enjoyed rapid technological change, but it's made it difficult to predict future...
Why network redundancy is essential for the delivery of critical communications services.