Data Breach: Where and how are data breaches really occurring?

By Peter Karcher, Partner and Jake Reid, Lawyer

Six weeks after the commencement of the Notifiable Data Breaches (NDB) scheme, the Office of the Australian Information Commissioner (OAIC) published its first quarterly report on mandatory data breach notifications.Whilst the report must be viewed with some caution given the brevity of the reporting period, it does support previous findings that suggest that human error remains a major issue for businesses accountable for the protection and integrity of the personal information they hold.

The OAIC received 63 data breach notifications during the reporting period, which ran from the commencement of the NDB scheme on 22 February 2018 until the end of March. Not surprisingly, health service providers were the leading industry sector that reported data breaches to the OAIC, accounting for just under a quarter (24%) of all notifications. Next came legal, accounting and management services (16%), demonstrating that professional services businesses need to be aware of and across the NDB scheme.

The majority (78%) of data breaches notified to the OAIC were reported to involve individuals’ contact information, which includes data such as an individual’s name, email address, phone number and home address. A significant percentage of data breaches involved health information (33%) and financial details (30%).

Over half (59%) of the data breach notifications reported that the personal information of between one and nine individuals was affected, whilst the vast majority (90%) related to breaches involving the personal information of less than 1,000 people.

Perhaps of most interest for businesses is the source of data breaches for the quarter. Human error was reported to be the source for just over half (51%) of the notified data breaches, closely followed by malicious or criminal attacks (44%).

Whilst any fears of malicious or criminal attacks are evidently not unfounded, mistakes and errors are, as expected, proving a more prevalent source of data breaches. Given the results of the report it may be prudent for businesses to focus their energies on considering what additional safeguards they can employ to reduce the risk of human error occurring. This may be as simple as having the functionality to recall emails sent to the wrong person before information is likely to be used or copied or having technology in place to remotely wipe data from a misplaced device. Considering the reputational damage and loss of customer goodwill that a data breach may cause for businesses, this is something that should be at the forefront of their thinking.

Read the full OAIC report here.

For more information, please contact Peter Karcher.

This bulletin is produced as general information in summary for clients and subscribers and should not be relied upon as a substitute for detailed legal advice or as a basis for formulating business or other decisions. ClarkeKann asserts copyright over the contents of this document. This bulletin is produced by ClarkeKann. It is intended to provide general information in summary form on legal topics, current at the time of publication. The contents do not constitute legal advice and should not be relied upon as such. Formal legal advice should be sought in particular matters. Liability limited by a scheme approved under professional standards legislation. Privacy Policy


…and we’ll email you valuable insights into issues affecting you and your business.

More Insights

Disputing beer brands and the Australian Consumer Law

Disputing beer brands and the Australian Consumer Law

Previously we discussed reputation in a trade mark and the law of trade mark infringement under the Trade Marks Act. Next, we consider reputation and its treatment under the Australian Consumer Law and the case between rival brewing companies Brick Lane Brewing Co Pty...

read more
Reputation in a trade mark – not relevant to infringement

Reputation in a trade mark – not relevant to infringement

Independent real estate start-up, The North Agency, fends off property monolith, The Agency, in the Federal Court of Australia. In dismissing all claims against The North Agency, including finding that The North Agency had not infringed The Agency’s trade marks, the...

read more