On 14 December 2022, the OECD members adopted the Declaration on Government Access to Personal Data held by Private Sector Entities. It is an intergovernmental agreement on common approaches to safeguard privacy and other human rights and freedoms when accessing personal data for national security and law enforcement purposes, and […]
Privacy
OECD Declaration on a Trusted, Sustainable and Inclusive Digital Future
On 15 December 2022, the OECD members adopted the Declaration on a Trusted, Sustainable and Inclusive Digital Future. The Declaration calls on the OEDC through the Committee on Digital Economy Policy (CDEP) to develop policy standards and guidance for a trusted, sustainable, inclusive digital future for our countries that reflect […]
Changes to Australia’s Privacy Act: Overview and Preparation Checklist
In the wake of the recent wave of high-profile data breaches at Optus, Medibank and MyDeal, the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 was passed by Federal Parliament on 28 November 2022. The Attorney-General referred to the data breaches as having highlighted ‘the potential to cause serious financial and emotional harm […]
NSW introduces Mandatory Notification of Data Breaches
On 16 November 2022, the NSW Parliament passed amendments to the Privacy and Personal Information Protection Act 1998 (PIPA). The amendments to the PPIP Act aim to strengthen privacy legislation in NSW by: creating a Mandatory Notification of Data Breaches (MNDB) Scheme which will require public sector agencies bound by the […]
Balancing Organisational Accountability and Privacy Self-management in APAC
The Asian Business Law Institute and Future of Privacy Forum has published a report providing a detailed comparison of the requirements for processing personal data in 14 jurisdictions in APAC including Australia, China, India, Indonesia, Hong Kong SAR, Japan, Macau SAR, Malaysia, New Zealand, the Philippines, Singapore, South Korea, Thailand, and […]
LawFest 22: Re-connecting & challenging your thinking
On 28 September, 365 legal professionals from across Aotearoa and abroad gathered in person in Auckland for the premier legal innovation and technology event on the New Zealand calendar. LawFest is the only opportunity in New Zealand for the legal and technology community to come together to network, collaborate and […]
OAIC Notifiable Data Breaches Scheme – The first 4 years
The Notifiable Data Breaches (NDB) scheme commenced in February 2018, introducing new obligations for Australian government agencies and private sector organisations with an annual turnover of $3 million AUD or more. Notably, under the NDB scheme organisations are required undertake an assessment should they suspect:
- Unauthorised access to or disclosure of personal information, or loss of personal information where access by unauthorised persons is likely to occur,
- Serious harm to the individuals to whom the information relates is likely to occur, and
- The risk of serious harm cannot be addressed through remedial action.
If the assessment indicates that serious harm is likely to result from a data breach, they must notify the Office of the Australian Information Commissioner (OAIC) as well as all affected individuals so they can take action to address possible consequences and also. As data breaches and subsequent investigations are often significantly complex, an organisation or agency is given a baseline of 30 days to assess whether a data breach is likely to result in serious harm. However, once the organisation has formed the view that a data breach has occurred, individuals who may be seriously impacted by the data breach must be notified as soon as practicable. For example, in their recent data breach Optus has indicated that the assessment process took place over the course of no more than a couple of days prior to start of the notification process.
The OAIC has published bi-annual reports summarising the details of reported data breaches since 2018 and this article examines some of the identifiable trends in these reports over the past four years. The OAIC report for the most recent 6-month period (Jan-Jun 2022) should be released in the next few weeks, however some released statistics from the impending report indicate that the observed trends discussed in this article continue through the most recent period. The full OAIC reports are available from https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics, and further information is available on the OAIC website: https://www.oaic.gov.au/privacy/data-breaches.
Organisations that fail to report a notifiable data breach can be subject to the same penalty as if they committed a serious or repeated breach of privacy, however organisations may look for a defensible reason to avoid reporting a breach as opposed to having to report a data security failure to the regulator. Even serious breaches where substantive personal data has been lost might be considered non-notifiable should the breached organisation feel they have undertaken sufficient remediation action which lessens the chance of serious harm.
Ransomware attacks, one of the common externally perpetrated data breach events, have evolved in recent years to extend beyond holding data in an encrypted state and often now include the exfiltration of sensitive data from target organisations. Data is often held by the attacker, with the threat of publication on the dark web balanced against payment of the ransom. Should the breached organisation make payment of the ransom, the attacker generally will agree to delete the exfiltrated data. While it is essentially impossible to be certain that all copies of this data have been deleted, a breach organisation is likely to consider such an arrangement as sufficient “remediation” of the breach event in that the likelihood of the data being used in such a way that would cause serious harm to individuals is substantially reduced. In such circumstances, the breached organisation may choose not to report the incident to the OAIC, despite the severity of the initial data breach.
Breach Notification Trends
Due to the complex nature of data breaches and reclassification of notifications over time, there is some variation in breach notification statistics between the time of OAIC publication and the present date. The stats shown in this article are taken from each quarterly/bi-monthly report which reflected notification data at the time of report publication, however it should be noted that breach statistics will have changed to a degree from what we have summarised from the OAIC reports.
Over the past 4 years, there have been more than 3,500 reported data breaches, of which 60% were Malicious (or criminal), 35% were Human Error and 4% were due to System Faults. Taking into account that 2018 was a partial reporting year, approximately 1,000 breaches would have been reported to the OAIC across 2018 and 2019, with a slight uptick in 2020 and a substantial reduction in 2021. A summary of the data breach notifications made to the OAIC are displayed in the table immediately below
Year | Breaches | Change | Malicious | Change | Human error | Change | System fault | Change |
20181 | 749 | 449 | 265 | 35 | ||||
2019 | 997 | 0% | 625 | +4% | 329 | -7% | 43 | -9% |
2020 | 1,057 | +6% | 627 | 0% | 380 | +16% | 50 | +16% |
2021 | 910 | -14% | 545 | -13% | 324 | -15% | 41 | -18% |
Total | 3,713 | 2,246 | 1,298 | 169 |
The table above also shows that malicious action breach incidents (combining both internal and externally originated) increased in 2019 compared against “non-malicious” breach types, however this trend was reversed in the following year. This was followed by was a slight reduction in all types of breach notifications in 2021. Overall, the OAIC NDB reports show a fairly flat trajectory over the length of the scheme.
Conversely, US data on publicly reported data breaches over this time period shows year on year increases between 2018 and 2021, effectively doubling from 1,244 to 2,407 per year over this time period2. It is worth noting that data breach reporting requirements in the US vary from state to state and are substantially different to the Australian NDB scheme. However, the significant difference in the overall trend of breach reports is still interesting, particularly as the US Data indicate that the number and severity of malicious cyber-attacks appear to be increasing over time 3. in contrast, the declining number of reported malicious breaches (as well as non-malicious breaches) in the Australian NDB data suggests there may be other systemic factors at play with regards to the number and type of breaches reported under NDB scheme.
Number of individuals impacted by a breach
As can be seen in the table below, the majority of data breaches tend to have low numbers of individuals affected by the breach. However, the number data breaches affecting large numbers of individuals remained fairly steady over the data period, indicating that a significant proportion of the Australian population is likely to have been impacted by a data breach throughout this time period.
Year | Total Breaches | <1k | 1k-5k | 5k-10k | 10k-25k | 25k-50k | 50k-100k | 100k-250k | 250k-500k | 500k-1m | >1m | Unknown |
2018 | 749 | 638 | 61 | 15 | 9 | 1 | 4 | 4 | 1 | 0 | 2 | 14 |
2019 | 997 | 834 | 74 | 19 | 16 | 7 | 5 | 5 | 2 | 0 | 5 | 30 |
2020 | 1,057 | 890 | 90 | 12 | 13 | 14 | 6 | 2 | 4 | 2 | 7 | 13 |
2021 | 910 | 787 | 71 | 12 | 15 | 7 | 5 | 4 | 2 | 1 | 4 | 2 |
Total | 3,692 | 3,149 | 296 | 58 | 53 | 29 | 20 | 15 | 9 | 6 | 16 | 59 |
Kinds of personal information (PI) involved in breaches
The majority of personal information present in data breaches was contact information, followed almost equally by financial and identity information. The proportions of personal information types present in data breaches has not changed significantly year to year, indicating that there has not been significant changes in the how organisations are holding or protecting particular types of personal information over this period.
The higher number of breaches relating to contact information will be, to some degree, a function of the fact that only certain organisations need to hold more specific personal information about their customers. Despite the apparent lower impact from breaches relating to contact information, such data is still of substantial value for cyber-criminals for use in phishing and other targeted attacks, and may also be combined with information from other data breaches for more specific criminal use.
Year | Contact Info | Financial Details | Identity Information | TFN | Health | Other sensitive information |
2018 | 647 | 335 | 273 | 186 | 148 | 61 |
2019 | 817 | 398 | 293 | 255 | 157 | 85 |
2020 | 890 | 408 | 439 | 272 | 184 | 134 |
2021 | 803 | 376 | 432 | 256 | 184 | 140 |
Total | 3,157 | 1,517 | 1,437 | 969 | 673 | 420 |
Maliciously originated breaches
Most forms of malicious/criminal attack have been fairly consistent year-on-year, however ransomware in particular has been increasing year on year and 45% of all ransomware incidents occurred in 2021. The steady increase in this form of money-motivated cyber-attack aligns with anecdotal and industry reports of increases in this type of activity from organised cyber-criminal gangs and certain nation-state actors.
It is interesting to consider the Optus data breach in the light of whether it would be considered a maliciously originated breach, a system fault, or a combination of both. While it certainly appears the case that a maliciously motivated individual or group has exfiltrated Optus customer data, the methods used remain a matter of debate and have not been fully confirmed by Optus or the federal government. Should it have been the case, an oversight which results in an API (Application Programming Interface) connected to a customer details database being left in an open state to external connections would almost certainly be viewed as a failure of internal systems and procedures. Optus’ CEO has indicated that the breach cause was not as straightforward as this, suggesting a more complex cause involving specific malicious technical action.
Year | 2018 | 2019 | 2020 | 2021 | Total |
Malicious Breaches | 449 | 625 | 627 | 545 | 2,246 |
Theft paper/Storage | 73 | 80 | 53 | 61 | 267 |
Social Engineering | 28 | 52 | 84 | 65 | 229 |
Rogue Employee/Insider Threat | 41 | 71 | 60 | 54 | 226 |
Cyber (ALL) | 307 | 422 | 430 | 365 | 1,524 |
Cyber – Phishing | 125 | 146 | 132 | 113 | 517 |
Cyber – Stolen Credentials | 79 | 140 | 108 | 100 | 426 |
Cyber – Ransomware | 18 | 29 | 69 | 86 | 202 |
Cyber – Hacking | 27 | 34 | 59 | 31 | 151 |
Cyber – Brute | 34 | 25 | 30 | 18 | 107 |
Cyber – Malware | 20 | 37 | 24 | 16 | 95 |
Cyber – Other | 5 | 10 | 9 | 2 | 26 |
Human error breaches
The majority of human error breaches are due to wrongly addressed emails, and this has been consistently the highest category, even with the 15% reduction in 2021. Unlike malicious or systemic breaches, human error breaches – as classified by the OAIC – have limited technical controls that can be implemented to assist with prevention. Instead, education and procedure remain the best defence against these type of breaches.
Year | 2018 | 2019 | 2020 | 2021 | Total |
Human Error Breaches | 265 | 329 | 380 | 324 | 1,298 |
Wrong email recipient | 74 | 101 | 160 | 136 | 471 |
Wrong hardcopy recipient | 33 | 30 | 37 | 18 | 118 |
Loss of hard/soft storage | 34 | 40 | 25 | 23 | 122 |
Unintended release/publication | 41 | 76 | 62 | 71 | 250 |
Failure to use BCC | 22 | 18 | 30 | 25 | 95 |
Failure to redact | 14 | 19 | 20 | 23 | 76 |
Unauthorised verbal disclosure | 8 | 19 | 18 | 11 | 56 |
Insecure disposal | 8 | 5 | 2 | 0 | 15 |
Wrong Recipient (Other) | 19 | 21 | 25 | 17 | 82 |
Other | 12 | 0 | 1 | 0 | 13 |
Business Sector Activity
The Health, Finance and Business Services sectors collectively made up over 45% of all reported breaches in 2019 and 2020. In 2021, where a substantial reduction of breaches reports were made compared to previous periods, the combined breaches in there three sectors were still approximately 40% of the overall reports. Maliciously originated data breaches in the Legal, Accounting and Management sector was the only category to see a substantial rise in 2021, with almost all other types of breaches in these sectors seeing a decline from the previous year.
Given the level of highly personal information held by Health sector organisations, the fact that these organisations feature so highly in the NDB statistics is of cause for specific concern. While federal and state legislation provides guidance for the collection, management and use of health data, as well as highlighting the highly confidential nature of such data, Australia currently does not have an equivalent to the US HIPA Act where substantive penalties and sanctions can be levied specifically pertaining to non-criminal use or loss of health data.
Sector | 2019 | 2020 | 2021 | Total |
Health – Malicious | 111 | 97 | 87 | 295 |
Health – Human Error | 106 | 135 | 74 | 315 |
Health – System Error | 5 | 6 | 7 | 18 |
Finance – Malicious | 77 | 98 | 57 | 232 |
Finance – Human Error | 59 | 47 | 44 | 150 |
Finance – System Error | 10 | 11 | 12 | 33 |
Legal, accounting & management – Malicious | 60 | 42 | 61 | 163 |
Legal, accounting & management – Human Error | 25 | 22 | 24 | 71 |
Legal, accounting & management – System Error | 2 | 5 | 1 | 8 |
Total | 455 | 463 | 367 | 1285 |
The OAIC provide details on the top 5 sectors reporting data breaches over each period. As only the Health, Finance and Legal, Accounting & Management sectors have consistently appeared in the periodic reports, and only the 2019-2021 reporting periods include complete data, only the data from those three sectors and three periods has been included in this analysis.
Observations
The OAIC official data breach statistics show an overall declining trend in reported breaches under the NDB scheme. On the surface this would potentially represent a good new story – in that organisations are becoming better at preventing data breaches and successful malicious attacks on organisations may becoming fewer. The counter-argument to this observation is the legal advice and remediation response organisations are using to inform their decisions on whether a breach falls under the NDB may have changed over time, resulting in fewer breaches being reported rather than fewer breaches actually occurring.
The recent data breach incident at Optus has highlighted the widescale impact that a large data breach can have both on the breached organisation and the individuals to which the data belonged to. In terms of the scale, size and type of data that was taken, in addition to the media coverage, there would be little chance that any person assessing this breach would consider that it would not require mandatory reporting. However, in circumstances where a less comprehensive data set was exposed, with substantially fewer affected individuals, the potential for serious harm may not be considered as high, resulting in variable decisions to report.
A smaller scope breach just involving loss of customer name and address information might be considered to hold lesser chance to cause serious harm by themselves. When such a breach is potentially remediated – say by payment of a ransom – it may be the case that an organisation feels that the breach no longer meets the threshold to require mandatory reporting and notification of affected individuals. However there is little in the way of guarantees that organisations can seek from cyber-criminals who hold exfiltrated data at ransom. The destruction of this data upon payment of a ransom is entirely in the control of the criminals and cannot be verified by the organisation.
It is also worth noting that a somewhat “lesser” data breach containing names and addresses may be combined with data sets containing account details, passwords and identify information obtained from other breaches. In a similar way that de-identified “Big Data” sets hold the potential for “re-identifcation” of individuals, combining multiple data sets residing on the dark web following successive breaches of different organisations results in a substantially higher chance of serious harm to affected individuals over time. As such, the OAIC and the Federal Government may wish to consider the provision of further guidance around notification requirements based on the type of data that exposed during a breach as well as what successful remediation of a breach should cover.
The Optus data breach has also demonstrated that certain types of organisation are required for regulatory reasons to collect more personal information than others. There appears to be substantial uncertainty in the various regulations governing this requirement as to the length of time such information needs to be held and also as to how such information can be used and must be protected by the collecting organisation. Undoubtedly both Federal and State governments in Australia have observed this issue in recent weeks and it can be hoped that specific actions clarifying and improving regulatory requirements around collection, storage, use and disposal of personal information by Australian organisations will be forthcoming in the near future.
Other obligations in reporting an NDB
Organisations may have other obligations outside of those contained in the Privacy Act that relate to personal information protection when responding to a data breach. These may include data protection obligations under state-based or international data protection laws. Notably, Australian businesses may need to comply with the European Union’s (EU’s) General Data Protection Regulation (GDPR) if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.
For data breaches affecting certain categories of information, other mandatory or voluntary reporting schemes may exist. For example, entities may need to consider reporting breaches to:
- the entity’s financial services provider
- police or law enforcement bodies
- the Australian Securities & Investments Commission (ASIC)
- the Australian Prudential Regulation Authority (APRA)
- the Australian Taxation Office (ATO)
- the Australian Transaction Reports and Analysis Centre (AUSTRAC)
- the Australian Cyber Security Centre (ACSC)
- the Australian Digital Health Agency (ADHA)
- the Department of Health
- State or Territory Privacy and Information Commissioners
- professional associations and regulatory bodies
- insurance providers.
Useful resources
Office of the Australian Information Commissioner https://www.oaic.gov.au/privacy
- Tips to protect your privacy: https://www.oaic.gov.au/privacy/your-privacy-rights/tips-to-protect-your-privacy
- Act quickly if you are affected by a data breach: https://www.oaic.gov.au/__data/assets/pdf_file/0010/2170/act-quickly-if-you-are-affected-by-a-data-breach-poster.pdf
- Data breach preparation and response: https://www.oaic.gov.au/privacy/guidance-and-advice/data-breach-preparation-and-response
Australian Cyber Security Centre (ACSC) https://www.cyber.gov.au/
- Glossary defining commonly used terms: https://www.cyber.gov.au/acsc/view-all-content/glossary
- Cyber Incident Response Plan: https://www.cyber.gov.au/acsc/view-all-content/publications/cyber-incident-response-plan
- Resources and How-to guides: https://www.cyber.gov.au/learn/resources-library
IDCare https://www.idcare.org/about-idcare/what-is-idcare
- Breach response portal for individuals: https://www.idcare.org/mydatacare
- Fact sheets: https://www.idcare.org/learning-centre/fact-sheets
Scamwatch https://www.scamwatch.gov.au/
MoneySmart https://www.moneysmart.gov.au/
The Office of the eSafety Commissioner https://www.esafety.gov.au/
Author
Dr Peter Chapman, Director, Forensic Technology – KPMG
Thank you to Matthew Golab, Director – Legal Informatics and R&D at Gilbert and Tobin, for his analysis of the OAIC reports and contribution to this article.
OAIC guidance on retention and deletion of PI
In July, OAIC published guidance on the retention and deletion of personal information (PI) collected during the COVID-19 pandemic. Organisations should take stock of the personal information they hold and assess whether it is necessary to continue to collect and retain PI.
Australian Privacy Principles 11.1 and 11.2 require that reasonable steps be taken to protect personal information and personal information be destroyed or de-identified once it is no longer needed.
If information is stored electronically, such as in cloud-based storage, servers, USBs or with a third-party provider, you should ensure that the digital records are permanently destroyed, including in any back-up system or offsite storage.
It is also important to consider whether employees require any training to ensure that personal information is securely destroyed.
In November, OAIC published the COVIDSafe privacy report in accordance with s 94ZB of the Privacy Act, which examined compliance and risk throughout the ‘information lifecycle’ of COVID app data collected during the pandemic. Read the COVIDSafe Report May–November 2022 here.
OAIC’s guidance on vaccination status and protecting privacy
OAIC has updated its guidance on COVID-19: Vaccinations and privacy rights as an employee and Vaccinations: Understanding your privacy obligations to your staff. Key points include: Vaccination status information can only be collected without consent in circumstances where the collection is required or authorised by law (including a state or territory […]
New Zealand’s Privacy Commissioner releases a paper on biometric regulation
New Zealand’s Office of the Privacy Commissioner (OPC) has released a position paper setting out how the Privacy Act regulates biometrics. The increasing role of biometric technologies in the lives of New Zealanders has led to calls for greater regulation of biometrics. In a statement releasing the paper, the OPC said, ‘[it] believes […]
Digital Identity Legislation
The Australian Government has released an exposure draft of the Digital Identity legislation (the Trusted Digital Identity Bill) to support the expansion of the Australian Government Digital Identity System (the System). The proposed legislation aims to enshrine in law, privacy and consumer safeguards in the System as it expands to include […]
OVIC Guidance on Collaboration Tools
The rise of flexible working arrangements means that collaboration tools, such as videoconferencing and instant messaging tools, as well as cloud-based document creation and sharing services, are increasingly essential to facilitate collaboration. The Office of the Victorian Information Commissioner has provided guidance to assist organisations to consider their privacy obligations […]
Protection of Personal Information in Universities
The protection of information by universities has come under focus in recent years as a number of Australian universities have been subject to cybersecurity attacks. These attacks highlight the risks of data breaches and the potential impact on students, staff, and research participants. This led to the Office of the […]
Protection of Personal Data in Universities Report
Victoria’s Information Commissioner recently released a report following an examination of the privacy policies and procedures in eight Victorian universities. The report found that many universities don’t have clear policies to guide staff to destroy personal information when it is no longer needed. While Universities are prioritising ICT and cybersecurity risks, in […]
OAIC guidelines on the collection of staff vaccination status
With the COVID-19 vaccine national rollout underway, the Office of the Australian Information Commissioner has released a new COVID-19 Vaccinations privacy guidance for employers to understand their obligations when collecting, using, storing and disclosing employee health information related to the vaccine. It complements the COVID-19 Guidance for employers which provides […]
NZ OPC’s interactive tools for international personal data transfers
The Office of the Privacy Commissioner has created two new interactive online tools to help organisations and businesses understand what they need to do if they are sending New Zealanders’ personal information overseas to comply with the new principle 12. The Principle 12 Decision Tree – is designed to help organisations, especially SMEs, easily […]
APAC Privacy Law Update: Cross Border Transfers
With a range of new regulations, tools and projects underway, Information Governance ANZ were pleased to host a virtual forum with updates on the latest data privacy developments across the Asia Pacific region. This interactive session was facilitated by Susan Bennett, Founder of InfoGovANZ and our special guests included: NZ […]
Protecting Privacy by Minimizing Data
Posted with permission from Active Navigation, originally published on June 1. Ten years ago, there was no such thing as too much data. Notions about data being the “new oil” prompted organizations to horde every byte they could, hoping that they might be able to harness it down the road. […]
P3 Project Privacy Podcast from Active Navigation
Looking for a new podcast about data privacy? Active Navigation has exactly what you need – the P3: Project Privacy Podcast aims to help you understand the evolving data privacy landscape. Episodes include: The ROI of Proper Data Management; Records Management in Highly Regulated Industries; High Stakes Records Management; The […]
Information Security Risk Management Practitioner Guide – OVIC
The Office of the Victorian Information Commissioner (OVIC) issues security guides to support the Victorian Protective Data Security Standards (VPDSS). This document provides organisations with guidance on security risk management fundamentals to enable them to undertake a Security Risk Profile Assessment (SRPA) as required under s89 of the Privacy and […]