Humans still to blame: Notifiable Data Breaches still largely attributable to human error

Lavan has provided updates in the past with respect to the quarterly updates published by the Office of the Australian Information Commissioner (OAIC) with respect to notifiable data breaches, accessible here.  To refresh, the OAIC publishes statistics and a report regarding notifications received under the Notifiable Data Breaches (NDB) scheme. 

The NDB scheme requires that organisations/government agencies covered by the Privacy Act 1988 must notify both the OAIC and any individuals affected when a data breach is likely to result in serious harm to an individual whose personal information is involved.

The most recent report relates to the period July 2020-December 2020 and it shows some interesting trends.  Compared with January – June 2020, the current report (available here) shows there was only a small (5%) increase overall in the number of notifiable data breaches.  However again, and consistent with previous Reports, the percentage of notifiable data breaches attributable to human error has risen, this time up 18% to amount to 38% of all notifiable data breaches.

Interestingly, in November 2020, the OAIC received only 62 notifications, compared with over 100 notifications for each of July, August and September. 

In terms of the sectors most affected, the Health sector continues to lead the way with the most number of NDBs, with the Australian Government also making it into the top 5 for the first time since the scheme began in February 2018.  The number of notifiable data breaches per sector were:

  • Health service providers - 123
  • Finance (incl. superannuation) - 80
  • Education - 40
  • Legal, accounting & management services - 38
  • Australian Government - 33

In a year like no other, the OAIC closely monitored trends in notifications which may have arisen from remote working arrangements implemented in light of the COVID-19 pandemic. 

The OAIC states: "it is noteworthy that there has only been a modest increase of 5% in the total number of notifications compared to the previous reporting period. However, it is also notable that data breaches resulting from human error have significantly increased, both in terms of the total number received – up 18% – and proportionally – up from 34% to 38% of all notifications. While it is possible that this increase is linked to changed business and information handling practices resulting from remote working arrangements, the OAIC is yet to identify any information or incidents that conclusively prove a link."

Of the NBD’s attributable to human error, by far the largest cause is personal information being sent to the wrong participant via email.

Lavan comment

Time and again, we see that that a significant number of notifiable data breaches are attributable to human error.  In modern times, where changes to working arrangements can happen overnight, and work practices must be flexible, it is of the utmost importance that organisations implement education, training and monitoring to assist employees in their tasks. 

This will likely decrease the number of NBDs occurring as a result of human error.  At an individual level, it is important to thoroughly review emails prior to sending, and the double check that the intended recipient is correct (and whether other recipients have been cc’d or bcc’d into the correspondence). 

If you have any queries in relation to this article, please contact Iain Freeman.