OAIC slims down data breach reports
Angelene Falk: The OAIC is tightening data breach reporting
Only two reports will be produced annually on the notifiable data breach scheme by the government’s privacy authority in future in the wake of ongoing resourcing issues hanging over the agency.
The Office of the Australian Information Commissioner (OAIC) this week released its quarterly report on the mandatory notifiable data breach (NDB) scheme for the April to June quarter, with the number of reported data breaches remaining consistent with previous quarters.
The OAIC has been producing quarterly reports since the NBD scheme was launched by the federal government early last year.
The scheme requires all government agencies and any company with annual turnover of $3 million or more to notify individuals and the OAIC if personal information has been exposed as part of a breach that is likely to cause “serious harm”.
But at the end of its latest report, the OAIC revealed that while it remained “ready to exercise its enforcement powers to support the NDB scheme’s purpose of protecting consumers”, it would only report on it twice a year, instead of quarterly.
No further explanation was given, but there have been concerns over the funding and resourcing for the OAIC for several years.
The office has an unprecedented workload, with new responsibilities concerning the NDB scheme and the Consumer Data Right, and ever increasing Freedom of Information requests and data privacy concerns.
While the OAIC received a $25.1 million funding boost over three years in the latest budget, this money would go towards the agency’s new responsibilities, rather than addressing the under-resourcing.
The funding will see the OAIC’s staffing rise from 93 to 124, in the face of an 18 per cent increase in privacy complaints and 27 per cent increase in FOI access review requests received by the agency in the last year.
The OAIC received 245 data breach notifications in the last quarter, a number largely in line with previous reports.
One in three of these data breaches involved a human element, through avenues such as compromised credentials, where log-in and password information was used to gain unauthorised access to personal information.
Several also involved individuals clicking on a phishing email or re-using the same passwords across different services.
“The fact that there is a human factor involved in so many cases demonstrates the need for staff training to increase awareness of cyber risks to take the necessary precautions,” Australian Privacy and Information Commissioner Angelene Falk said in the report.
Malicious or criminal attacks were the largest source of data breaches in the quarter, accounting for 62 percent, and nearly 70 per cent of these involved “cyber incidents”.
The most hit sectors were again private health and finance, while the majority of breaches impacted less than 100 people.
One breach reported to the OAIC impacted more than 10 million people, but the agency clarified that this figure reflects the total number of individuals impacted by the breach around the world, not just in Australia.
The NBD scheme is having a real impact on government agencies and businesses around the country, Ms Falk said.
“The reporting regime has been well accepted and the onus is now on organisations to further commit to best practice in combating data breaches and improving response strategies,” she said.
“Effecting change in practices to prevent breaches is vital to the goal of protecting the community. Putting data breaches in the spotlight has heightened awareness of the privacy rights of consumers, who in turn are demanding greater security from the organisations with which they share information.”