A summary of the Notifiable Data Breaches Report issued on January 28 2021

Under the Notifiable Data Breaches (NDB) scheme, any organisation or Australian government agency covered by the Privacy Act 1988 (Cth)¹ (Privacy Act) must notify affected individuals and the Australian Government, Office of the Australian Information Commissioner (OAIC) when a data breach is likely to “result in serious harm to an individual whose personal information is involved.”²

Twice a year the OAIC publishes a report on the notifications received under the Notification Data Breach (‘NDB’) scheme.

The most recent report was released on 28 January 2021 (NDB Report), covering notifications received between July and December 2020 (‘the reporting period’)³ .

Summary of Findings

The following is a summary of the findings set out in the NDB Report:

• 539 notifications were received during this reporting period. This represents a 5% increase compared to the 512 notifications received during the previous 6 months.
• Top 5 industry sectors by notifications were as follows:

For the first time since such reports have been released, the Australian Government entered the top 5 industry sectors, replacing the insurance sector. This comes as no surprise, as the reporting period succeeds Prime Minister Scott Morrison’s statement release in June 2020 regarding Australian governments and industry being targeted by a sophisticated state-based cyber actor⁴.

• Data breaches caused by malicious or criminal attacks were the largest source with 310 (58%) reported breaches. Despite being the leading source of data breaches, this represents a 1% decrease compared to the previous 6 months. Human error on the other hand significantly increased by 18%⁵ and remained a major source of breaches, accounting for 204 notifications. System faults accounted for the remaining 25 breaches notified.
• 68% of eligible data breaches involved the personal information of 100 individuals or fewer. There was at least one breach that affected 10,000,001 or more individuals.
• 91% of notifications during this reporting period involved contact information, including home address, phone number or email address information. Meanwhile,45% of breaches involved exposure of identity information such as a drivers licence or passport number⁶.
• The report identifies that the period of time taken to identify a data breach⁷ varied depending on source of breach. 84% of entities who experienced a human error breach identified the incident within 30 days of it occurring. However, only 56% of entities identified a data breach resulting from a system fault within 30 days.
• As to the time taken to notify the OAIC of breaches, 78% of entities notified the OAIC within 30 days of becoming aware of an incident that was assessed to be an eligible data breach. However, 5% of entities took longer than 120 days after they became aware of an incident to notify the OAIC.

Key Takeaways

1) Education and awareness is key.

Human error remains a significant source of data breaches. Whilst inconclusive, the NDB Report notes the 18% increase in notifications due to human error may be linked to changes in business and information handling practices resulting from working remotely as a consequence of COVID-19⁸.

Organisations need to proactively ensure their employees are made aware of the potential for data breaches, and continue to educate their employees on best practice to adopt in order to protect the organsation.

2) Assessment and notification of data breaches should not be delayed.

The NDB Report notes that increasingly the OAIC is seeing instances of organisations taking much longer than 30 days to complete their breach assessments, with further significant delays before they notify affected individuals.⁹ Delayed notifications affect the ability of individuals to make an informed decision about how to best protect themselves from harm.

Entities’ data breach notifications must balance timeliness and thoroughness to meet the requirements of the Privacy Act¹⁰.

3) In cases involving multi-party breaches, the managed service providers (MSPs) and its customer must determine which party will report the data breach.

In the NDB Report, the OAIC notes that it received a number of notifications during the reporting period that involved a MSP hosting or holding data on behalf of one or more other entities¹¹.

In these circumstances, whilst both the MSP and their affected customer do not both have to notify the data breach, the OAIC has warned that at least one party is required to do so. Accordingly, the MSP and customer will need to consult and agree on which one will notify the breach. The OAIC’s recommendation is that the entity with the most direct relationship with affected individuals should generally carry out the notification.

4) The NDB Report provides several examples of good data breach response and assessment practices.

In particular, the OAIC provides a notable example involving a business email compromise attack¹². Some crucial elements include:

• The entity immediately locked down the affected staff member’s email account and commenced internal investigation.
• Within 2 days, an external IT security incident response company was appointed to conduct a forensic investigation.
  
• Staff were notified of the breach promptly and provided with guidance on IT security best practice.
  
• The OAIC and all affected individuals the entity had identified as being at risk of serious harm from the breach were notified by day 35.

If you would like to review the full Notifiable Data Breaches Report, please do so here.

Meanwhile, if you have any questions regarding the Notifiable Data Breaches scheme, please contact our dedicated team of Cyber expers who can provide advice on cyber risk management and insurance solutions.

Please note: This document and any recommendations, analysis, or advice provided by Marsh (collectively, the ‘Marsh Analysis’) are not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Any statements concerning legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as legal advice, for which you should consult your own professional advisors. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Except as may be set forth in an agreement between you and Marsh, Marsh shall have no obligation to update the Marsh Analysis and shall have no liability to you or any other party with regard to the Marsh Analysis or to any services provided by a third party to you or Marsh. LCPA No. 21/032.

¹ Entities covered under the NDB scheme generally include Australian Government agencies, businesses and non-for-profit organisations that have an annual turnover of more than AU$3million, private sector health service providers, credit reporting bodies, credit providers, entities that trade in personal information and tax file number (TFN) recipients.

² ss 26WE, 26WK and 26WL of the Privacy Act 1988 (Cth)

³ The report was released by the OAIC under the following license: https://creativecommons.org/licenses/by/3.0/au/legalcode.

⁴ Crowe, David and Koslowski, Max, ‘Morrison reveals malicious ‘state-based’ cyber attack on governments (2020). https://www.smh.com.au/politics/federal/morrison-reveals-malicious-state-based-cyber-attack-hitting-several-sectors-20200619-p5545z.html

⁵ NDB Report Pages 3 and 7: This figure is calculated based on the increase in the total number of notifications received.

⁶ NDB Report Page 9: ‘Contact information’ includes individual’s home address, phone number or email. This is distinct from ‘identity information’ which is used to confirm an individual’s identity such as passport number or driver’s licence number.

⁷ NDB Report Page 11-12: The figures do not relate to the time taken by the entity to assess whether an incident qualified as an eligible data breach.

⁸ NDB Report Page 7.

⁹ NDB Report Page 10.

¹⁰ NDB Report Page 15.

¹¹ NDB Report Pages 8-9.

¹² NDB Report page 21.