Mandatory data breach reporting - what's the impact?Aug 2018
Just over six months after the mandatory data breach notification legislation1 was introduced, the Office of the Information Commissioner has published its first full quarterly report on the notified data breaches, and it makes interesting reading.
The most breaches were reported by health service providers with 49 breaches, followed by finance entities (36) then legal, accounting and management entities (20) and education organisations (19). Business and professional associations reported 15 breaches.
Interestingly, because the legislation is federal, it doesn’t apply to state government entities. Consequently, the health service providers caught by the legislation are largely private entities. This means that the recently discovered NSW Health breach of over 1,000 health records found in a derelict building would not be caught by the new legislation. The same goes for state government education institutions such as government schools and technical colleges.
Between February and June 2018, there have been 305 notifications in total. There have been 242 notifications in the most recent quarter, with the majority the result of malicious or criminal attacks (59%) with human error accounting for a significant portion (36%). The remaining 5% is the result of system faults.
The number of breaches notified per month has steadily increased since the legislation was introduced in late February 2018. In March 2018 there were 55 breaches notified, April had 65, May 87 and by June there were 90 breaches notified.
The most common type of information accessed was contact information (home or email addresses and telephone numbers), but worryingly a total of 157 breaches involved financial details as well as identity information (passport or driver’s license numbers) and health information.
Within the malicious attacks, theft of paperwork or storage devices featured large with the health services most heavily impacted. However, unsurprisingly, cyber incidents (ransomware, phishing, malware etc) accounted for almost 70% of malicious attacks, and focused on the finance sector. Within that 70% credentials were stolen by phishing or brute force, or by an unknown method. Ransomware caused a fairly low number of breaches. Social engineering and rogue employees accounted for around 10% of malicious attacks. Interestingly the industry with the most rogue employee breaches is health services.
The most significant human error breach was the sending of personal information to the wrong recipient – by email, hard copy mail or other method. While there were many notifications resulting from information sent to the wrong recipient (40 in total), the number of affected people per breach was quite low: a single person or small group. In contrast, while the loss of storage devices did not result in the largest number of notifications (nine in total), such losses did impact the largest number of people with an average of over 1,000 people affected per lost device.
Interesting to note:
- Most breaches affected fewer than 100 people. Only one breach affected over a million people.
- Human error was the cause of most health industry breaches, while legal, accounting and management entities suffered more from malicious attacks.
- What seems to be a fairly low-level breach depending on the circumstances – failing to ‘blind carbon copy’ people when sending group emails – resulted in seven notifications with an average of 571 impacted people per breach. The education sector seemed to have the most of these types of breaches.
Each of these breaches have caused the subject entities to incur the costs of notifying the Information Commissioner and any impacted individuals. Presumably these entities will also have incurred the costs of investigating and remedying the breaches and considering their legal obligations. Some breaches can cause business interruption, and all carry the risk of serious reputational harm, not to mention any anxiety and distress caused to the individuals affected.
The quarterly report is another timely reminder to combat complacency and to take steps to train staff and protect personal and sensitive data. If the trends outlined in this quarterly report continue, the incidences of serious data breaches will only increase. We await the next quarterly report with interest.
1 Part IIIC of the Privacy Act 1988 (Cth).
This article may provide CPD/CLE/CIP points through your relevant industry organisation.