The Notifiable Data Breaches scheme was enacted on February 22nd of this year, and we published a number of articles leading up to the commencement date of the scheme (which can be found here and here) to spread awareness for Australian organisations who must now, under the Australian Privacy Act 1988, report all data breaches to the Office of the Australian Information Commissioner (OAIC) or face substantial fines.
Just over a month has passed since the scheme began, and the OAIC has published their first quarterly report. The report showed that 63 businesses have reported data breaches to the OAIC, with over half indicating that the breach was caused by human error.
Key statistics from the first quarterly report include:
- Top five sectors that notified the OAIC of eligible data breaches included health service providers (24 per cent of notifications), legal, accounting and management services (16 per cent), finance (13 per cent), private education (10 per cent), and charities (6 per cent).
- 78 per cent of eligible data breaches were reported to involve individual’s contact information. 33 per cent were reported to involve health information and 30 per cent to involve financial details.
- 51 per cent of the eligible data breach notifications received indicated that the cause of the breach was human error. 44 per cent of breaches were reported to be the result of the malicious or criminal attack, and 3 per cent the result of system faults.
- 59 per cent of data breach notifications reported that the personal information of between one and nine individuals was affected. 90 per cent of data breach notifications related to breaches involving the personal information of fewer than 1,000 individuals.
These statistics are startling, as it is apparent that many Australian businesses are not taking data security seriously, and it is quite concerning to Australian consumers. Gerry Power, the National Head of Sales for cyber insurance firm Emergence, even stated that the statistics were “frightening”.
Almost half of the data breaches were caused by malicious attacks, which indicates that Australian businesses are being actively targeted by cyber criminals. According to the 2017 Australian Community Attitudes to Privacy Survey, 94 percent of Australians believe that they should be informed when personal data is misused, stolen, modified or lost by a business. The NDB aims to ensure that Australian consumers are notified when such data breaches occur.
In light of this news, Australian organisations should be acting fast to ensure that their security systems, policies and procedures are actively being created, implemented and updated by the latest cyber threats facing data security today. Consumers place trust in the organisations they share personal information with and it is the organisation’s responsibility to ensure that the data is appropriately handled and secured.
You can find more information on how to ensure that your organisation is prepared for future cyber threats and how the Notifiable Data Breaches Act affects you in previous articles on our blog.
For assistance in making the necessary arrangements required to meet NDB Scheme requirements, please do not hesitate to contact Agilient.