By Peter Karcher, Partner and Jake Reid, Lawyer
Six weeks after the commencement of the Notifiable Data Breaches (NDB) scheme, the Office of the Australian Information Commissioner (OAIC) published its first quarterly report on mandatory data breach notifications.Whilst the report must be viewed with some caution given the brevity of the reporting period, it does support previous findings that suggest that human error remains a major issue for businesses accountable for the protection and integrity of the personal information they hold.
The OAIC received 63 data breach notifications during the reporting period, which ran from the commencement of the NDB scheme on 22 February 2018 until the end of March. Not surprisingly, health service providers were the leading industry sector that reported data breaches to the OAIC, accounting for just under a quarter (24%) of all notifications. Next came legal, accounting and management services (16%), demonstrating that professional services businesses need to be aware of and across the NDB scheme.
The majority (78%) of data breaches notified to the OAIC were reported to involve individuals’ contact information, which includes data such as an individual’s name, email address, phone number and home address. A significant percentage of data breaches involved health information (33%) and financial details (30%).
Over half (59%) of the data breach notifications reported that the personal information of between one and nine individuals was affected, whilst the vast majority (90%) related to breaches involving the personal information of less than 1,000 people.
Perhaps of most interest for businesses is the source of data breaches for the quarter. Human error was reported to be the source for just over half (51%) of the notified data breaches, closely followed by malicious or criminal attacks (44%).
Whilst any fears of malicious or criminal attacks are evidently not unfounded, mistakes and errors are, as expected, proving a more prevalent source of data breaches. Given the results of the report it may be prudent for businesses to focus their energies on considering what additional safeguards they can employ to reduce the risk of human error occurring. This may be as simple as having the functionality to recall emails sent to the wrong person before information is likely to be used or copied or having technology in place to remotely wipe data from a misplaced device. Considering the reputational damage and loss of customer goodwill that a data breach may cause for businesses, this is something that should be at the forefront of their thinking.
Read the full OAIC report here.
For more information, please contact Peter Karcher.