Latest OAIC data breach report: a reduction in notifications but persistent concerns about cyber security incidents. - Lexology
Latest OAIC data breach report: a reduction in notifications but persistent concerns about cyber security incidents.
KPMG Law
KPMG Law logo
Kate MarshallVeronica Scott
Australia August 25 2021
The Office of the Australian Information Commissioner (OAIC) now releases bi-annual reports on data breaches that are reported under the Notifiable Data Breaches (NDB) scheme in the Privacy Act 1988 (Cth) (Privacy Act). Its latest report for the period of January 2021 to June 2021 show 446 data breach notifications were received, a decrease of 16% on the previous reporting period. But the overall trends and takeways remain consistent over the last year - see our article here for our insights on the period, July to December 2020.
Key causes of breaches
Once again, malicious attacks and human error are the main causes of reported breaches. 65% were attributed to malicious or criminal attacks, 30% resulted from human error and 5% related to system faults. Phishing, ransomware, and compromised or stolen credentials were the main causes of cyber incidents, followed by social engineering or impersonation, rogue employees or insider threats, and theft of paperwork or storage devices.
The OAIC warns in its report that victims of ransomware, which it defines as “malicious software that makes data or systems unusable until the victim makes a payment”, should not assume they haven’t had a notifiable data breach just based on a lack of evidence that data exfiltration had not occurred. Given the prevalence of ransomware attacks, the OAIC have stated that there is an expectation for appropriate internal practices, procedures, and systems to be in place to undertake a meaningful assessment and implementation of protective and preventative measures.
Sectors
The health sector (19%) followed by the finance sector (13%) continue to be the sectors with the largest number of notifications since the NDB scheme commenced early in 2018. For these two sectors, malicious or criminal attacks account for the majority of notifications, however those incidents attributed to the Australian Government largely relate to human error being the cause of data breaches notified.
Data breach response
The report highlights that the time taken to identify data breaches varied significantly depending on the source of the breach. Data breaches involving a malicious or criminal attack or human error were identified within 30 days in more than 80% of notifications. Conversely data breaches resulting from a system fault were identified within 30 days 61% of the time, and 30% took longer than 12 months.
Upon becoming aware of a data breach, the Privacy Act sets out that entities must take all reasonable steps to ensure that an assessment of a potential eligible data breach occurs within 30 days. In the six-month reporting period, 72% of entities notified the OAIC within this timeframe which is a decrease from 78% in the previous period.
Of course, this data does not capture instances where a data breach incident has occurred, and the entity has not notified the OAIC due to remediation preventing serious harm to individuals or the incident not being assessed as notifiable. Organisations should remain acutely aware that there is a positive duty to investigate and assess a suspected data breach and report it to the OAIC if it meets the threshold requirements to be “notifiable”.
Impact
Whilst 93% of data breaches affected 5,000 individuals or fewer, six data breaches were each reported to have affected more than 250,000 individuals, with the highest affecting more than 10 million individuals.
Takeaways – managing cyber risk
The evolving cyber threat environment and the continued increase in cyber security incidents, as well as the expanded digital footprint of many organisations, means it is even more critical than ever that organisations take proactive steps to protect against and prepare to respond to data security incidents. The impacts of attacks on the integrity, confidentiality and availability of organisation’s data (including personal information, business and financial records as well as their supplier data) and systems, can be severe and result in the disruption of operations, costly investigations and notification processes, regulatory action, complaints, claims and reputational damage. If organisations are listed, or operate in particular sectors such as financial services or in multiple jurisdictions, the regulatory obligations including notification and disclosure requirements that they are likely to have will be more extensive. Directors also need to consider their duty of care obligations in the Corporations Act. This is in addition to any contractual and supply chain risks that need to be considered.
Changes to cyber regulatory obligations are happening. These include:
The Security of Critical Infrastructure Bill 2020, that will extend from traditional critical infrastructure to 11 sectors and will impose positive cyber obligations on organisations and their Boards, as well as cyber incident reporting; and
the Federal Government’s consultation on the strengthening of cyber security regulations, which are canvassing more prescriptive security obligations to protect personal information, will add to obligations that organisation and their Boards will need to prepare for.
From our experience of helping client respond to and investigate incidents and as reflected in the OAIC guidance organisations should:
have a developed and documented incident response plan to use and be ready to investigate suspected data breaches including ransomware attacks – engaging the right legal and forensic team who understand the organisation and can quickly triage and conduct a forensic analysis is critical;
adopt and follow protective measures to prevent ransomware and follow current Australian Cyber Security Centre advice which can be located here;
ensure they have appropriate audit and access logs;
ensure they understand what data they hold and where (both structured and unstructured);
adopt a robust record retention policy and procedure;
determine their position on paying any ransomware demands they might receive and understand how this will impact their approach to cyber risk management and incident response;
ensure their staff follow cyber security policies and procedures and are adequately trained in identifying social engineering attacks; and
review their cyber insurance coverage to understand what incident response support and financial coverage they provide and if these are fit for purpose.
KPMG Law
KPMG Law logo
Kate MarshallVeronica Scott
Australia August 25 2021
The Office of the Australian Information Commissioner (OAIC) now releases bi-annual reports on data breaches that are reported under the Notifiable Data Breaches (NDB) scheme in the Privacy Act 1988 (Cth) (Privacy Act). Its latest report for the period of January 2021 to June 2021 show 446 data breach notifications were received, a decrease of 16% on the previous reporting period. But the overall trends and takeways remain consistent over the last year - see our article here for our insights on the period, July to December 2020.
Key causes of breaches
Once again, malicious attacks and human error are the main causes of reported breaches. 65% were attributed to malicious or criminal attacks, 30% resulted from human error and 5% related to system faults. Phishing, ransomware, and compromised or stolen credentials were the main causes of cyber incidents, followed by social engineering or impersonation, rogue employees or insider threats, and theft of paperwork or storage devices.
The OAIC warns in its report that victims of ransomware, which it defines as “malicious software that makes data or systems unusable until the victim makes a payment”, should not assume they haven’t had a notifiable data breach just based on a lack of evidence that data exfiltration had not occurred. Given the prevalence of ransomware attacks, the OAIC have stated that there is an expectation for appropriate internal practices, procedures, and systems to be in place to undertake a meaningful assessment and implementation of protective and preventative measures.
Sectors
The health sector (19%) followed by the finance sector (13%) continue to be the sectors with the largest number of notifications since the NDB scheme commenced early in 2018. For these two sectors, malicious or criminal attacks account for the majority of notifications, however those incidents attributed to the Australian Government largely relate to human error being the cause of data breaches notified.
Data breach response
The report highlights that the time taken to identify data breaches varied significantly depending on the source of the breach. Data breaches involving a malicious or criminal attack or human error were identified within 30 days in more than 80% of notifications. Conversely data breaches resulting from a system fault were identified within 30 days 61% of the time, and 30% took longer than 12 months.
Upon becoming aware of a data breach, the Privacy Act sets out that entities must take all reasonable steps to ensure that an assessment of a potential eligible data breach occurs within 30 days. In the six-month reporting period, 72% of entities notified the OAIC within this timeframe which is a decrease from 78% in the previous period.
Of course, this data does not capture instances where a data breach incident has occurred, and the entity has not notified the OAIC due to remediation preventing serious harm to individuals or the incident not being assessed as notifiable. Organisations should remain acutely aware that there is a positive duty to investigate and assess a suspected data breach and report it to the OAIC if it meets the threshold requirements to be “notifiable”.
Impact
Whilst 93% of data breaches affected 5,000 individuals or fewer, six data breaches were each reported to have affected more than 250,000 individuals, with the highest affecting more than 10 million individuals.
Takeaways – managing cyber risk
The evolving cyber threat environment and the continued increase in cyber security incidents, as well as the expanded digital footprint of many organisations, means it is even more critical than ever that organisations take proactive steps to protect against and prepare to respond to data security incidents. The impacts of attacks on the integrity, confidentiality and availability of organisation’s data (including personal information, business and financial records as well as their supplier data) and systems, can be severe and result in the disruption of operations, costly investigations and notification processes, regulatory action, complaints, claims and reputational damage. If organisations are listed, or operate in particular sectors such as financial services or in multiple jurisdictions, the regulatory obligations including notification and disclosure requirements that they are likely to have will be more extensive. Directors also need to consider their duty of care obligations in the Corporations Act. This is in addition to any contractual and supply chain risks that need to be considered.
Changes to cyber regulatory obligations are happening. These include:
The Security of Critical Infrastructure Bill 2020, that will extend from traditional critical infrastructure to 11 sectors and will impose positive cyber obligations on organisations and their Boards, as well as cyber incident reporting; and
the Federal Government’s consultation on the strengthening of cyber security regulations, which are canvassing more prescriptive security obligations to protect personal information, will add to obligations that organisation and their Boards will need to prepare for.
From our experience of helping client respond to and investigate incidents and as reflected in the OAIC guidance organisations should:
have a developed and documented incident response plan to use and be ready to investigate suspected data breaches including ransomware attacks – engaging the right legal and forensic team who understand the organisation and can quickly triage and conduct a forensic analysis is critical;
adopt and follow protective measures to prevent ransomware and follow current Australian Cyber Security Centre advice which can be located here;
ensure they have appropriate audit and access logs;
ensure they understand what data they hold and where (both structured and unstructured);
adopt a robust record retention policy and procedure;
determine their position on paying any ransomware demands they might receive and understand how this will impact their approach to cyber risk management and incident response;
ensure their staff follow cyber security policies and procedures and are adequately trained in identifying social engineering attacks; and
review their cyber insurance coverage to understand what incident response support and financial coverage they provide and if these are fit for purpose.
