More than 60 data breaches were reported to the government’s privacy body in the first six weeks of the new mandatory notification scheme, with the majority caused by human error.
In its first quarterly report on the mandatory data breaches notification scheme since it was launched in late February, the Office of the Australian Information Commissioner (OAIC) revealed it had received 63 notifications from Australian organisations.
This is already more than half of the amount of data breaches voluntarily reported by businesses in the whole of the last financial year.
The new scheme requires all Australian government agencies and any organisation or company with an annual turnover of $3 million or more to notify individuals if their information had been exposed in a breach that is likely to cause “serious harm”.
Nearly a quarter of the reported breaches came from health service providers, with just over 15 percent coming from legal, accounting and management services, 13 percent from finance and 10 percent from private education organisations.
The large majority of the breaches involved individual’s contact information, including names, email address and phone number, while 33 per cent included health information and 30 per cent included financial details.
Just over half (51 per cent) of the breaches were reported as being the result of human error, including inadvertent disclosures where an individual sent a document containing personal information to the wrong recipient. Of the data breaches voluntarily reported in the last financial year, 36 per cent were a result of human error.
More than 40 per cent of the breaches were the result of a malicious or criminal attack, while just 3 percent were due to system faults.
Twenty of the reported data breaches impacted only one person, while three breaches impacted at least 10,000 people.
Acting Australian Information and Privacy Commissioner Angelene Falk said the quarterly reports will help to identify trends and promote improved security.
“Over time, the quarterly reports of the eligible data breach notifications received by the OAIC will support improved understanding of the trends in eligible data breaches and promote a proactive approach to addressing security risks,” Ms Falk said.
Ms Falk said that with the majority of breaches being down to human error, Australian organisations need to be more proactive in implementing good data security strategies.
“This highlights the importance of implementing robust privacy governance alongside a high-standard of security. The risk of a data breach can be greatly reduced by implementing practices such as Privacy Impact Assessments, information security risk assessments, and training for any staff responsible for handling personal information,” she said.
The increase in reported data breaches comes at a busy time for the OAIC, which has just officially opened an investigation into Facebook after more than 300,000 Australian users had their data harvested and sold to a British data analytics firm.
Concerns have also been raised that the organisation does not have the adequate resources or funding from government to properly oversee the data breaches scheme along with its other responsibilities.
The OAIC was allocated $10.74 million for the 2017-18 financial year along with $3 million through deals with government agencies. The office has 70 full-time employees.
Following the retirement of Commissioner Timothy Pilgrim last month, all four of the OAIC’s top management roles are currently filled on an interim basis.
According to former Victorian privacy commissioner David Watts, the OAIC is facing “unprecedented challenges” as its resources are “stretched beyond breaking point”.
Do you know more? Contact James Riley via Email.