Revelations from the OAIC data breach reports
On February 22, 2018, the Office of the Australian Information Commissioner (OAIC) introduced mandatory data breach notification laws. The legislation was backed by severe penalties for anyone who fails to adequately report and remedy data breaches on their networks. While this may sound draconian, the intention behind the legislation is to give the OAIC and Australian businesses a clear picture of the true causes of data breaches.
Few people enjoy wading into the dry phraseology inherent to legislation and research reports. However, there are some powerful benefits to be gained from understanding the legislation and engaging with the OAIC’s reports. To save you time, we’ve condensed the relevant information into the following seven points.
Why track the OAIC data breach reports?
Twice yearly, the OAIC publishes a data breach report, revealing the main cybersecurity threats being faced by Australian businesses. In addition to offering an instant snapshot of the year’s data breaches, these reports are, over time, allowing for more and more in-depth analysis of emerging trends and issues.
While this data is valuable to regulating bodies, it also offers priceless information to business owners who are serious about protecting their systems and sensitive data from both malicious and error-based breaches.
As Australian Privacy and Information Commissioner Timothy Pilgrim explained when the legislation was announced,
“The new scheme will strengthen the protections afforded to everyone’s personal information and will improve transparency in the way that the public and private sectors respond to serious data breaches. It will also give individuals the opportunity to take steps to minimise the damage that can result from unauthorised use of their personal information.
Malicious attacks aren’t the only data breach causes
Data breaches caused by human error were down in the first half of 2021, accounting for 30% of the total compared to 34% the previous year. However, with 134 notifications stemming from mistakes made by employees and stakeholders, this is still a significant risk for business owners to be aware of.
Simple training around cybersecurity and IT best practices – both in the office and at home – can save a company millions in lost revenue if it prevents even a single data breach. Then, of course, there’s the benefit of avoiding the potential for a costly OAIC fine (more on this below).
What is an eligible data breach?
The 2016 bill amends the Privacy Act (1988) “to introduce mandatory data breach notification provisions for agencies, organisations and certain other entities that are regulated by the Privacy Act.” Under the amendments, organisations must report an “eligible data breach” to the OAIC and notify affected customers immediately.
An eligible data breach occurs “where personal information held by an entity is subject to unauthorised access or unauthorised disclosure and a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the personal information relates.” (Privacy Amendment (Notifiable Data Breaches) Bill 2017)
There is an exception for situations where the entity takes remedial action before the access or disclosure results in serious harm. Other exceptions relate to law enforcement-related activities and the application of secrecy provisions in other laws.
Does swift remedial action negate the need to report to the OAIC?
This depends on a number of factors, including the nature of the data that’s been compromised, the source of the breach, and the actions taken by the company. Sometimes, even the swiftest remedial action is not enough for the breach to count as an exception.
If, for example, an email containing sensitive data is sent to a group of external parties, it is not sufficient to simply contact those parties and ask for them to delete the data. Unless you can confirm with absolute certainty that the data has not been accessed or copied, it is likely to still qualify as a reportable data breach. If in doubt, it’s best to contact your IT support provider or the OAIC.
What should your data breach response plan look like?
The bill specifies that your statement to the OAIC must include:
- A description of the data breach
- The nature of the information involved
- Recommendations for steps any affected parties should take in response to the incident
The reason for step three is that you must notify all affected individuals of the contents of the statement. Business owners should also be aware that the OAIC may contact you before you’ve provided this statement if it believes an eligible data breach has occurred. If this happens, you must still write up a notification.
If you fail to notify the OAIC of a data breach and it is found to constitute a serious interference with privacy under the Privacy Act (1988), you can be penalised with a fine of up to AU$360,000 for individuals and AU$1.8 million for organisations (about US$274,560 and US$1.37 million, respectively).
Invotec Can Help You Comply with Data Breach Notification Laws
The best way to avoid getting on the wrong side of the OAIC is to protect your business from data breaches in the first place. Of course, the OAIC fines are just one of many pressing reasons why you need comprehensive, up-to-date cybersecurity measures in place to safeguard your systems and your data.
Invotec provides total data protection to Melbourne businesses, covering every necessary angle with our on-point security tools, monitoring, and assessment-remedy procedures.
We’ll also help you stay in compliance with the data breach notification laws, and we’re happy to help you better understand what constitutes proper reporting and notification to the OAIC.