As many readers know, the Notifiable Data Breach Scheme (NDB Scheme) came into force on 22 February 2018. It has resulted in changes to Australia’s privacy law in relation to notification obligations on individuals and organisations that experience an eligible data breach.
The Office of the Australian Information Commissioner (OAIC) recently released its second quarterly report in relation to data breaches notified under the NDB Scheme between 1 April and 30 June 2018. The OAIC has reported that 242 data breach notifications were filed, which is approximately four times the amount notified to the OAIC between 22 February and 31 March 2018.
The graph below shows that data breach notifications are steadily increasing.
As foreshadowed in our blog on the first OAIC report, we expect this trend to continue for the rest of 2018.
The report states that across all sectors the top five kinds of personal information involved in data breaches included:
- Contact information (89 percent)
- Financial details (42 percent)
- Identity information (39 percent)
- Health information (25 percent)
- Tax File Numbers (19 percent)
In a change from the first quarter report, malicious or criminal attacks (phishing, malware, ransomware, brute-force attack/compromised credentials etc.) accounted for 59 percent of the data breaches, while human error accounted for 36 percent. The remaining 5 percent was attributed to system faults. In comparison, the first quarterly report stated that 51 percent of data breaches were caused by human error, while 44 percent were a result of malicious or criminal attack. Despite these changes, malicious or criminal attacks and human error constitute the most frequent causes of data breaches.
Below is a summary of the top five sectors’ key statistics.
This graph shows very similar statistics to those provided in the first quarter report. Given the quarterly growth in the number of data breaches, it is important that organisations understand their obligations under the NDB Scheme and actions they can take to reduce risk. With the second set of results now published, it is a timely reminder to seek legal assistance if you or your organisation believe they may have been subjected to a data breach.
For readers looking for more information on the NDB Scheme, we have prepared a series of blogs on different aspects of the new law to assist you understand how it works and what your obligations may be in the case of a data breach. Our previous blogs can be accessed via the following links: