Data Breach: Where and how are data breaches really occurring?

By Peter Karcher, Partner and Jake Reid, Lawyer

Six weeks after the commencement of the Notifiable Data Breaches (NDB) scheme, the Office of the Australian Information Commissioner (OAIC) published its first quarterly report on mandatory data breach notifications.Whilst the report must be viewed with some caution given the brevity of the reporting period, it does support previous findings that suggest that human error remains a major issue for businesses accountable for the protection and integrity of the personal information they hold.

The OAIC received 63 data breach notifications during the reporting period, which ran from the commencement of the NDB scheme on 22 February 2018 until the end of March. Not surprisingly, health service providers were the leading industry sector that reported data breaches to the OAIC, accounting for just under a quarter (24%) of all notifications. Next came legal, accounting and management services (16%), demonstrating that professional services businesses need to be aware of and across the NDB scheme.

The majority (78%) of data breaches notified to the OAIC were reported to involve individuals’ contact information, which includes data such as an individual’s name, email address, phone number and home address. A significant percentage of data breaches involved health information (33%) and financial details (30%).

Over half (59%) of the data breach notifications reported that the personal information of between one and nine individuals was affected, whilst the vast majority (90%) related to breaches involving the personal information of less than 1,000 people.

Perhaps of most interest for businesses is the source of data breaches for the quarter. Human error was reported to be the source for just over half (51%) of the notified data breaches, closely followed by malicious or criminal attacks (44%).

Whilst any fears of malicious or criminal attacks are evidently not unfounded, mistakes and errors are, as expected, proving a more prevalent source of data breaches. Given the results of the report it may be prudent for businesses to focus their energies on considering what additional safeguards they can employ to reduce the risk of human error occurring. This may be as simple as having the functionality to recall emails sent to the wrong person before information is likely to be used or copied or having technology in place to remotely wipe data from a misplaced device. Considering the reputational damage and loss of customer goodwill that a data breach may cause for businesses, this is something that should be at the forefront of their thinking.

Read the full OAIC report here.

For more information, please contact Peter Karcher.

This bulletin is produced as general information in summary for clients and subscribers and should not be relied upon as a substitute for detailed legal advice or as a basis for formulating business or other decisions. ClarkeKann asserts copyright over the contents of this document. This bulletin is produced by ClarkeKann. It is intended to provide general information in summary form on legal topics, current at the time of publication. The contents do not constitute legal advice and should not be relied upon as such. Formal legal advice should be sought in particular matters. Liability limited by a scheme approved under professional standards legislation. Privacy Policy


…and we’ll email you valuable insights into issues affecting you and your business.

More Insights

ClarkeKann Lawyers Sydney sharpens commercial focus

ClarkeKann Lawyers Sydney sharpens commercial focus

ClarkeKann’s commitment to delivering solution-based outcomes for our clients remains at the centre of our offering. Providing qualified, trustworthy, bespoke legal advice with a particular focus across our core areas of expertise; Agribusiness, Intellectual Property...

read more