Who let the data out? New report shows significant increase in data breaches that resulted from human error

Malcolm Campbell ||

February 23, 2021

The Office of the Australian Information Commissioner (OAIC) recently published its Notifiable Data Breaches Report (Report), which was based on notifications made under the Notifiable Data Breaches (NDB) Scheme between the period 1 July 2020 to 31 December 2020. The Report revealed a significant increase in data breaches that resulted from human error. The Report provides a timely reminder of the importance of organisations’ taking active steps to prevent data breaches.

What is the NDB scheme?

The OAIC introduced the scheme in February 2018 to protect consumers by encouraging better standards when dealing with consumer’s personal information. Under the scheme, any organisation or agency covered by the Privacy Act 1998 must notify the OAIC and all affected individuals when they have reasonable grounds to believe that an eligible data breach has occurred.

Who does the scheme apply to?

The following entities are covered by the scheme:

Australian Government agencies;
Organisations’ that have an annual turnover of more than AU$3 million;
Private sector health service providers;
Credit reporting bodies;
Credit providers;
Tax file number recipients; and,
Entities that trade in personal information.

What is an eligible data breach and what must be done if a breach occurs?

If a data breach meets the following criteria, it will be classified as an eligible data breach:

Personal information that an entity holds has been lost or there is unauthorised access or disclosure of personal information.
From the perspective of a reasonable person, the breach is likely to result in serious harm to affected individual/s.
The entity has not been able to prevent the risk of harm with remedial action.

In the context of a data breach, serious harm can include serious physical, psychological, emotional, financial, or reputational harm.

An entity must take reasonable steps to complete its assessment within 30 days after it suspects an eligible data breach. If an eligible data breach is established, the entity must then, as soon as practical provide a statement to the Information Commissioner and notify the affected individuals promptly.

What were the key findings of the Report?

The Report demonstrated that in the period from 1 July 2020 to 31 December 2020:

the OAIC received 539 data breach notifications, which is an increase of 5% compared to the previous six months;
58% of notifications resulted from malicious or criminal attack, 38% resulted from human error, and 5% were as a result of system fault;
there was an 18% increase in data breaches attributed to human error (173 to 204 notifications); and,
the health sector remained the highest reporting industry sector (23% of notifications).

The key concern has been the significant increase in breaches that resulted from human error.

What can organisations do to prevent data breaches and meet their obligations under the scheme?

The OAIC has stated that “organisations need to reduce the risk of a data breach by addressing human error – for example, by prioritising staff training on secure information handling practices.”

Organisations should also implement the following to prevent and mitigate data breaches:

strong password protection strategies for example, increasing password complexity and length;
raising staff awareness about the importance of protecting credentials;
training staff on cyber security awareness; and,
using multi-factor authentication for remote access to business systems.

Organisations should also have a data breach response plan in place to promptly respond to data breaches. The plan should address how to:

Contain the breach
Assess the risks for individuals associated with the breach
Consider breach notification
Review the incident and take action to prevent future breaches.

How can we help?

If you require assistance with understanding your privacy obligations, putting in place a data breach response plan, or responding to a data breach, please do not hesitate to contact a team member of Coleman Greig’s Commercial Advice Team, who would be more than happy to assist you.

Authors

Malcolm Campbell

PHONE +61 2 9895 9357

Email Malcolm

TAGS:
Privacy Act

Send an enquiry

First name

Surname

Phone number

Email address

Message

Which area of law are you enquiring about?

Preferred office location

How did you hear about us?

Any personal information you provide is collected pursuant to our Privacy Policy.

Author

Employers should exercise caution when dismissing during probationary period

November 12, 2024

Can you dismiss an employee during the probationary period? Yes, but a recent case is a lesson in caution. The recent Federal Court decision of ‘Dabboussy v Australian Federation of Islamic Councils’ is a warning to employers to consider the importance of timing if dismissing an employee during probation.

The business impacts from the Government’s new cyber security laws

November 7, 2024

Cybercrime ‘is a multibillion-dollar industry that threatens the wellbeing and security of every Australian’. In an effort to combat the impact on businesses and individuals, the Australian Government has introduced cyber security legislative reforms into the Parliament.

Will the Right to Disconnect laws fix Autsralia’s excessive work culture?

November 4, 2024

Contrary to the stereotype of the laidback, sun-kissed Aussie, we’re actually a nation of workaholics. In this article, our Employment Law specialist, Senior Associate Victoria Quayle discusses whether the new Right to Disconnect laws will fix Australia’s excessive work culture.

A guide to intrafamily adoption

October 22, 2024

Adoption is the process where a parent’s legal rights for their child are transferred to another person. The formal adoption of a stepchild or close relative is known as intrafamily adoption.

Passenger movement and visa data-matching by the ATO

October 17, 2024

Heading overseas for work or a holiday? Taxation issues, including tax residency, should be on front of mind when departing from or arriving to Australia. Why? Because the Australian Taxation Office (ATO) can follow your footprints and, if you’re not careful, spring unexpected taxes on you.

Is it really necessary for my executor to have so many powers?

October 14, 2024

People often question why the executor of their estate needs to have so many powers. Simply put – if your executor isn’t given any additional powers by your Will, then they are limited to what is set out in the Trustee Act. One area that this can lead to issues in, is the family home – particularly if beneficiaries aren’t in agreement.

Essential terms of a commercial lease

October 9, 2024

A commercial lease is a contract that details the rights and obligations of a tenant and landlord. So, what are the necessary terms of a commercial lease?

Responding to data breaches

October 8, 2024

In the final part of our four-part series on your business’ responsibilities related to cyber attacks and data breaches, Special Counsel John Bennett how businesses should respond to data breaches, including application and requirements of the Notifiable Data Breaches Scheme.

Security of personal information

September 30, 2024

Part 3 of a four-part series on your business’ responsibilities related to cyber attacks and data breaches where Special Counsel, John Bennett provides an overview of some court decisions and proceedings where ‘security’ of personal information has come into issue.

Parental alienation in Family Law

September 26, 2024

The concept, Parental Alienation Syndrome, was initially brought about by American psychiatrist Richard Gardner in 1985. The term parental alienation is used to describe a situation where one parent is involved in psychologically manipulating their child to turn against the other parent.

Businesses must only collect personal information when reasonably necessary

September 23, 2024

Part 2 of a four-part series on your business’ responsibilities related to cyber attacks and data breaches

Are you liable for labour hire workers if they are injured?

September 16, 2024

Many employers (host employers) engage employees of labour hire companies, particularly in the building and construction, hospitality and manufacturing industries. However, what happens when one of these employees gets injured at the host employer’s work site? Who is liable for the injuries?

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.