The Office of the Australian Information Commissioner (OAIC) has released the notifiable data breaches quarterly statistics for the period 1 April to 30 June 2019.
We reported on previous releases for 2018, which can be found here, and here and 2019 which can be found here. The key statistic arising out of the latest report, is that the number of notifiable data breaches is not decreasing:
Whilst there are many factors which influence the number of data breach notifications, these statistics show us that data breaches remain a prevalent issue.
It is noteworthy that only 4% of data breach notifications for the 1 April to 30 June 2019 period were attributed to system faults that is, underlying problems with IT systems; the rest were human error such as sending emails to wrong addressees (34%) or malicious/criminal attacks (62%). It is important to understand that successful malicious/criminal attacks are very often coupled with failures to follow protocols.
Of the malicious/criminal attacks, 43% were attributed to phishing.1 Phishing is defined as “An attack in which the target is contacted by email or text message by someone posing as a legitimate institution to lure individuals into providing personal information, sensitive information or passwords”.2
The attack succeeds only when the recipient reacts to the message.
The results from the notifiable data breaches quarterly statistics demonstrate that data breaches are largely attributable to human accident. Whether a breach has occurred because someone accidentally sent personal information to the wrong email address (29 instances notified)3 or whether a person accidentally clicked on a phishing email, the cyber compromises which are occurring are, by and large, an issue for employment, human resources and training.
The OAIC has published various guidelines and policies outlining how organisations can comply with their obligations under the Privacy Act 1988. However, compliance with just the Privacy Act will not necessarily prevent cyber compromises in your organisation. The Privacy Act addresses only one aspect of your organisation’s cyber security.
Lavan suggests that the most effective method to ensure that your employees are not breaching your privacy obligations and therefore exposing your organisation to the risk of cyber attacks, is through training and education of your employees, and people with whom you do business. A well-structured employment contract and training system can help people understand how to ensure their actions won’t promote a privacy breach. Lavan can assist in drafting employment contracts, Privacy and Cyber plans, and to assist if you are concerned a data breach may have occurred.
[1] https://www.oaic.gov.au/assets/privacy/notifiable-data-breaches-scheme/statistics/notifiable-data-breaches-statistics-report-1-april-to-30-june-2019.pdf, p11.
[2] https://www.oaic.gov.au/assets/privacy/notifiable-data-breaches-scheme/statistics/notifiable-data-breaches-statistics-report-1-april-to-30-june-2019.pdf, p20.
[3] https://www.oaic.gov.au/assets/privacy/notifiable-data-breaches-scheme/statistics/notifiable-data-breaches-statistics-report-1-april-to-30-june-2019.pdf.
