The Office of the Australian Information Commissioner (OAIC) has published the first quarterly report on data breach notifications received under the Notifiable Data Breaches (NDB) scheme, which came into force on 22 February 2018.
The OAIC received 63 data breach notifications under the scheme during the first six weeks of the scheme’s operation. In the 2016–17 financial year, the OAIC received 114 data breach notifications on a voluntary basis.
The NDB scheme requires entities with obligations to secure personal information under the Privacy Act 1988 to notify individuals when their personal information is involved in a data breach that is likely to result in serious harm. These data breaches are referred to as ‘eligible data breaches’. Entities must also notify the OAIC about eligible data breaches.
The NDB scheme formalised the community’s expectation for transparency when a serious data breach occurs. According to the 2017 Australian Community Attitudes to Privacy Survey, 94 per cent of Australians believe they should be told when personal information is lost by a business.
Just over half of the eligible data breach notifications received in the first quarter indicated that the cause of the breach was human error. In the 2016–2017 financial year 46 per cent of the data breach notifications received by the OAIC voluntarily were also reported to be the result of human error.
This highlights the importance of implementing robust privacy governance alongside a high-standard of security. A Cyber Insurance policy gives insureds 24/7 access to an incident response team of experts who understand the importance of immediately mitigating potential threats to insureds’ businesses.
A Cyber Insurance policy should be part of every successful business’s risk management framework. Cyber insurance is not the first line of defence; it is designed to protect a business when its IT security, policies and procedures fail to stop an attack.
Key statistics from the first quarterly report include:
- Top five sectors that notified the OAIC of eligible data breaches included health service providers (24 per cent of notifications), legal, accounting and management services (16 per cent), finance (13 per cent), private education (10 per cent), and charities (6 per cent).
- 78 per cent of eligible data breaches were reported to involve individual’s contact information. 33 per cent were reported to involve health information and 30 per cent to involve financial details.
- 51 per cent of the eligible data breach notifications received indicated that the cause of the breach was human error. 44 per cent of breaches were reported to be the result of malicious or criminal attack, and 3 per cent the result of system faults.
- 59 per cent of data breach notifications reported that the personal information of between one and nine individuals was affected. 90 per cent of data breach notifications related to breaches involving the personal information of less than 1,000 individuals.
For more information on how a Cyber Insurance policy can assist in protecting your business, contact your Account Manager now.