Is data privacy an afterthought in your organisation? Here’s why it shouldn’t be
According to the Office of the Australian Information Commissioner (OAIC), 527 data breaches were reported between January-June 2024. This is a 9% increase from the second half of last year and is the highest number of notifications since July-December 2020.
“Almost every day, my office is notified of data breaches where Australians are at likely risk of serious harm. This harm can range from an increase in scams and the risk of identity theft to emotional distress and even physical harm,” stated Australian Privacy Commissioner Carly Kind.
“Privacy and security measures are not keeping up with the threats facing Australians’ personal information, and addressing this must be a priority.”
In fact, statistics released by OAIC show that the sectors that have reported the most data breaches during the above period are health service providers, Australian government, finance sector, education sector, and retail sector.
What is a notifiable data breach?
As stated by OAIC, a notifiable data breach can occur in any of the following instances:
When personal information has been accessed, disclosed, or lost without any authorisation
When it is likely to cause serious harm to one or more individuals
When an organisation has failed to take necessary action to prevent the risk of serious harm
In an instance where an organisation suspects that they may have been susceptible to a data breach, the Privacy Act 1988 mandates that it must take reasonable action to conduct an assessment within 30 days of being aware of it.
Most common types of data breaches
The Notifiable Data Breaches Report: January to June 2024, published by OAIC, states that the most common sources of data breaches have occurred due to malicious or criminal attacks and account for 67% of all reported breaches. Meanwhile, human error has attributed to 30% of the breaches, and 3% have been caused by system faults.
Regulatory Action taken by OAIC
So, what might failure to comply mean for your organisation? Let's find out.
1. Civil Penalty against Medibank
In 2022, Medibank and its subsidiary AHM experienced a data breach that exposed the personal information of millions of customers on the dark web. After investigation into Medibank’s privacy policies, OAIC alleged that Medibank seriously interfered with the privacy of 9.7 million Australians and failed to take reasonable steps to protect the personal information of their customers, breaching the Privacy Act 1988. This case is currently before the federal court pending judgement. (Source: OAIC)
2. Federal Court proceedings against Australian Clinical Labs
In 2022, Australian Clinical Labs (ACL) faced a data breach involving the personal information of millions of Australians through its Medlab Pathology business. The OAIC's investigation revealed that ACL:
Failed to take reasonable steps to protect the personal information from unauthorised access
Failed to conduct a proper risk assessment following the breach to assess whether it was notifiable
Failed to notify the OAIC as soon as reasonably practicable
This case is also currently before the federal court pending judgement. (Source: OAIC)
What factors does OAIC consider when taking regulatory actions?
The OAIC does not take regulatory action against every data breach that is reported to them. In fact, according to The Notifiable Data Breaches Report: January to June 2024, they are more likely to take regulatory action in cases that:
Pose a substantial risk of harm to individuals and communities, specifically individuals who are part of vulnerable groups
Concern systemic issues or violations
Where action could have an educative or deterrent effect on market practice
Has a public interest or concern
What steps can you take to minimise the impact of these common types of data breaches?
Failure to take reasonable action to secure personal information from being breached might have you penalised under the Privacy Act 1988.
So, what can you as an organisation do to protect yourself from data breaches and potential regulatory actions? Let’s discuss it below, considering the three most common types of data breaches.
1. Minimising the impact of cyber security threats
Notifiable Data Breaches Report: The January to June 2024 report states that 38% of reported breaches were due to incidents involving cyber security. The incidents that were reported can be broken down into 6 main categories as follows:
Image Source: Notifiable Data Breaches Report: January to June 2024
Many organisations, including the OAIC, Australian Signals Directorate’s (ASD), and Australian Cyber Security Centre (ACSC), have provided different guidelines organisations can take to mitigate these risks. These include:
Set up multi-factor authentication for users accessing business systems, including data repositories.
Integrate password management policies like password complexity requirements and avoidance of the use of the same passwords across multiple platforms in instances where multi-factor authentication cannot be implemented.
Manage appropriate levels of information access depending on user roles and responsibilities.
Monitor access privileges given to users and remove user access when no longer necessary.
Implement the Essential Eight, which is a set of baseline controls and security measures aimed at helping organisations protect their internet-connected enterprise information technology systems and data holdings from cyber threats.
Conduct risk assessments using tools like the Cyber Wardens Health Check.
2. Minimise the impact of human errors.
Human errors attributed to 30% of the data breaches that were reported to the OAIC during the reporting period. This is a significant percentage, and it raises the necessity for organisations to consider the human factor in their operations despite how secure and current their systems are.
Among the reported breaches, the main causes for human error were identified as:
Image Source: Notifiable Data Breaches Report: The January to June 2024
As advised by OAIC, the impact of the above-mentioned human errors can be minimised in several ways, including:
Integrating technical measures on systems to reduce opportunity for error
Educating and training employees on safe information handling procedures
Educating and providing information to employees on methods to identify phishing attacks
Regular monitoring systems to identify any unauthorised access attempts internally or externally
Have an IT policies and procedures manual in place. You can use the template available on Business Victoria to get started.
3. Minimise the risks associated with the use of cloud software.
Faulty software is attributed to 3% of all the risks reported; although it might seem like a smaller percentage, the damages that it can cause to businesses can be vast. With the advancements in technology, many businesses have migrated to cloud computing solutions to improve their operations and ease of access. Although software systems have their own level of protection against cyber threats, the responsibility to protect personal information is divided between the cloud service providers and organisations that use them.
The OAIC advises organisations to take the below actions to minimise the impacts associated with the use of cloud software:
Integrate necessary protocols and procedures to manage data security on cloud platforms.
Use multi-factor authentication and IP access controls.
Conduct reviews and security assessments at regular intervals to identify any potential threats or breaches.
Monitor cloud storage environments regularly for any potential risks.
Ensure compliance with ISO 27001
With the increased risks associated with cybersecurity incidents, many organisations, government bodies, and customers are placing greater trust in organisations that are committed to protecting their information.
Showcase your organisation’s commitment to maintaining high security standards within your information systems with an ISO 27001 certification.
Feel free to contact us or visit our website for more information.