In its latest notifiable data breaches report, The Office of the Australian Information Commission (OAIC), in addition to the usual notification statistics, has given guidance on certain aspects of eligible data breach assessments. It has also identified basic measures businesses should have implemented to deal with data breaches.

Number and causes of notified breaches

446 breach notifications were made in the first half of 2021, which represents a 16% drop in notifications compared to the second half of 2020.

The drop in the number of notifications appears unusual given anecdotal indications that there were more social engineering and cyber incidents in the period.

Consistent with a rise in such incidents, 65% of all notification breaches in the period resulted from malicious or criminal attacks (compared to 57% in the previous period). Human error remains a significant cause of data breaches, accounting for 30% of all breaches notified.

Guidance provided by the OAIC in the report (discussed further below) suggests the manner in which certain cyber incidents were assessed may have resulted in an under reporting of breaches.

Most affected industries

The industry sectors that, once again, notified the most breaches in the past 6 months were:

  • health service providers
  • finance
  • legal, accounting and management services

This has been a consistent trend since the commencement of the breach notification regime in February 2018. It aligns with these industries holding and handling a greater volume of valuable personal information in their day to day function and the ability of threat actors to benefit financially from any personal information exfiltrated from businesses in these industries.

Assessment commentary

The OAIC in the report has helpfully provided guidance on various aspects of the notification assessment process. Through case examples, the OAIC indicated:

  • that it generally considers scenarios where there is a 'lack of evidence' preventing an entity from confirming if a threat actor has accessed, viewed or exfiltrated data will result in reasonable grounds to believe that an eligible data breach may have occurred;
  • that it is likely to consider successful impersonation fraud to be an eligible data breach;
  • the extent to which it expects remedial steps taken by a business to have prevented the likelihood of serious harm before a business can rely on those steps to conclude there has not been an eligible data breach.

The guidance provided is very much welcomed and we look forward to similar guidance on other scenarios businesses commonly face when assessing if there has been an eligible data breach.

Expected policies and procedures

In addition to assessment guidance, the OAIC highlighted some of the policies and procedures it expects businesses to have in place to meet their obligations under the Privacy Act. This includes:

  • regularly reviewing security measures, controls and identity verification processes intended to minimise the risk of impersonation fraud;
  • having appropriate internal practices, procedures, and systems to undertake a proper assessment of whether a cyber incident has resulted in an eligible data breach; and
  • having appropriate audit and access logs, a routinely tested backup system and an appropriate incident response plan.

Businesses must address cyber risk

The assessment guidance and expectations of policies and procedures that businesses should have in place aligns with advice we have given businesses when assisting them address cyber risk or dealing with a cyber incident.

Having adequate measures in place to address cyber risk, including suitable policies and procedures, is imperative to limiting the risk of compromise, minimising costly downtime and facilitating prompt data recovery for business continuity and resilience.

Businesses that suffer a cyber incident need to ensure they take the right steps in response to limit the damage caused and deal with obligations to stakeholders and imposed by regulations.

If you need help to gauge or improve your cyber resilience, or to deal with a cyber incident, we can assist with a range of services and expertise.

The OAIC Notifiable Data Breaches Report: January-June 2021 can be accessed here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.