Legal Insights

Impact of Latest OAIC Data Breach Report on Victorian agencies and councils

By Melanie Olynyk

• 13 March 2024 • 3 min read
  • Share

We share our insights from the latest Notifiable Data Breaches Report (Report) released by the Office of the Australian Information Commissioner (OAIC). Our analysis uncovers key statistics shaping the data breach landscape.

Twice per year the OAIC reports on statistics and key learnings gathered from the eligible data breach notifications received under the Commonwealth Notifiable Data Breach Scheme (Scheme) during the previous 6 month period. The Report assists agencies and organisations (APP entities) which are subject to the Scheme to better understand current trends and privacy risks across the data breach landscape.

The latest Report covers notifications made to the OAIC from July 2023 – December 2023.

We summarise the key statistics identified in the latest Report, as well as some key takeaways for Victorian government agencies and councils.

Key statistics

  1. Key sectors affected: The top 5 sectors to notify data breaches were health service providers, finance, insurance, retail and Australian Government.
  2. Number of notifications received: The OAIC received 483 eligible data breach notifications. This is a 19% increase from the January 2023 – June 2023 reporting period.
  3. Source of breaches: The sources of the reported breaches include:
    1. malicious or criminal attack (67%)
    2. human error (39%)
    3. system fault (3%)

      In contrast with the other ‘top 5’ sectors, Australian Government agencies notified more data breaches caused by human error than those caused by malicious or criminal attacks.
  4. Cyber security incidents: 44% of all data breaches resulted from cyber security incidents such as phishing, compromised or stolen credentials, ransomware, hacking, malware and brute force attacks.
  5. Number of individuals affected: The majority of breaches (65%) affected 100 or fewer individuals. Breaches affecting between 1 and 10 individuals accounted for 44% of all notifications, similar to previous reporting periods. Cyber incidents were the leading cause of incidents which impacted a large number of individuals (i.e. breaches impacting more than 5,000 individuals).

Key issues

Some of the key privacy issues identified in the Report are extracted below.

  • Data Retention

    The greater the amount of personal information an entity holds, the greater the potential scale and complexity of a data breach. APP entities should ensure they have systems and processes in place to regularly review the personal information that they hold and consider whether it is still necessary to retain that personal information. Having a data retention policy that is regularly audited and updated, and is operationalised, is critically important.

  • Security of personal information

    Compromised account credentials caused 25% of all data breaches in the reporting period, and ensuring the security of personal information has been identified by the OAIC as a regulatory priority.

    The OAIC has strongly encouraged APP entities to uplift their access security and ICT security measures, including through implementing the Essential Eight cyber security strategies, multi-factor authentication, implementation of strong passphrases.

  • Outsourcing personal information holding

    A significant data breach risk has been identified arising from sharing personal information to contracted service providers (e.g. cloud or software providers). The OAIC recommends mitigating this risk in contractual arrangements with third party service providers.

  • Data Breach Response Plan

    The OAIC has re-emphasised its expectation that APP entities must have an effective data breach response plan in place.

    It expects all APP entities to have an up‑to‑date data breach response plan and notes that the following gaps have been specifically identified in recent determinations:

    • failure to include insurance coverage details, including the extent of the coverage and the contact details of the insurer
    • not documenting a process for engaging an external provider to investigate a suspected data breach where necessary
    • failure to understand and document the need for an investigation to be conducted expeditiously and for all reasonable steps to be taken to conclude an investigation within 30 days.
  • Identification, Assessment and Notification Timeframes

    Identification timeframes: The faster a breach is detected, the faster an APP entity can contain and limit its impact. During the reporting period, 64% of breaches were identified within 10 days of the breach occurring.

    Assessment and Notification timeframes: The obligation to assess an incident may be triggered before all the facts of the incident are known. Similarly the obligation to notify may be triggered before all the facts of the incident are known. Early assessment is recommended to ensure timely notification to the OAIC and affected individuals.

    Importantly, the Report identifies that 28% of notifications to the OAIC did not occur within the 30 day timeframe.

  • Individuals should be at the front and centre of a data breach response

    A key objective of the Scheme is to ensure individuals are promptly notified so they can quickly take steps to minimise their risk of harm. Effective actions identified by the OAIC include quickly putting steps in place to prevent further harm arising from a breach, and making improvements to security practices.

    APP entities should only notify individuals via their website where it is not practicable to notify individuals directly. Where this is the case, the website notification must include all the content required to be included within notifications to individuals.

  • Regulatory Coordination

    The OAIC has highlighted that APP entities may have multiple data breach reporting obligations.

    The Australian Government is implementing measures to streamline the existing regulatory frameworks, including via the establishment of a National Office for Cyber Security.

Key takeaways

While the Report relates to APP entities who are subject to the Scheme, there are still some key takeaways for Victorian government entities and councils more generally.

Key Tips:

  • There is an expectation that established data breach response processes are in place.
  • An individual who has been impacted by a breach should always be ‘front and centre’ of the response. Prompt notification enables individuals to take action and ultimately minimise risk of harm.

In our experience, good data hygiene practices will always lie at the core of best practice when it comes to data breach readiness and response.

Compliance ‘basics’, such as developing and operationalising policies and procedures for data handling, implementing and testing your data breach response plan, and supplementing these steps with regular staff training, can be fundamental to success in the event of a breach.

The Office of the Victorian Information Commissioner provides resources to Victorian government agencies on reporting, and responding to, data breaches. It also has guidance notes on two particular key risk areas, namely inadvertent disclosure when sending emails and phishing attacks.

Stay informed by subscribing to our Privacy, Data & Information team updates.

By Melanie Olynyk

  • Share

Recent articles

Online Access