We share our insights from the latest Notifiable Data Breaches Report (Report) released by the Office of the Australian Information Commissioner (OAIC). Our analysis uncovers key statistics shaping the data breach landscape.

Twice per year the OAIC reports on statistics and key learnings gathered from the eligible data breach notifications received under the Commonwealth Notifiable Data Breach Scheme (Scheme) during the previous 6 month period. The Report assists agencies and organisations (APP entities) which are subject to the Scheme to better understand current trends and privacy risks across the data breach landscape.

The latest Report covers notifications made to the OAIC from July 2023 – December 2023.

We summarise the key statistics identified in the latest Report, as well as some key takeaways for APP entities.

Key statistics

1. Key sectors affected: The top 5 sectors to notify data breaches were health service providers, finance, insurance, retail and Australian Government.
2. Number of notifications received: The OAIC received 483 eligible data breach notifications. This is a 19% increase from the January 2023 – June 2023 reporting period.
3. Source of breaches: The sources of the reported breaches include:
1. malicious or criminal attack (67%)
2. human error (39%)
3. system fault (3%)
   
   In contrast with the other ‘top 5’ sectors, Australian Government agencies notified more data breaches caused by human error than those caused by malicious or criminal attacks.
4. Cyber security incidents: 44% of all data breaches resulted from cyber security incidents such as phishing, compromised or stolen credentials, ransomware, hacking, malware and brute force attacks.
   
5. Number of individuals affected: The majority of breaches (65%) affected 100 or fewer individuals. Breaches affecting between 1 and 10 individuals accounted for 44% of all notifications, similar to previous reporting periods. Cyber incidents were the leading cause of incidents which impacted a large number of individuals (i.e. breaches impacting more than 5,000 individuals).

Key issues

Some of the key privacy issues identified in the Report are extracted below.

1.	Data Retention	The greater the amount of personal information an entity holds, the greater the potential scale and complexity of a data breach. APP entities should ensure they have systems and processes in place to regularly review the personal information that they hold and consider whether it is still necessary to retain that personal information. Having a data retention policy that is regularly audited and updated, and is operationalised, is critically important.
2.	Security of personal information	Compromised account credentials caused 25% of all data breaches in the reporting period, and ensuring the security of personal information has been identified by the OAIC as a regulatory priority. The OAIC has strongly encouraged APP entities to uplift their access security and ICT security measures, including through implementing the Essential Eight cyber security strategies, multi-factor authentication, implementation of strong passphrases.
3.	Outsourcing personal information holding	A significant data breach risk has been identified arising from sharing personal information to contracted service providers (e.g. cloud or software providers). The OAIC recommends mitigating this risk in contractual arrangements with third party service providers.
4.	Data Breach Response Plan	The OAIC has re-emphasised its expectation that APP entities must have an effective data breach response plan in place. It expects all APP entities to have an up‑to‑date data breach response plan and notes that the following gaps have been specifically identified in recent determinations: failure to include insurance coverage details, including the extent of the coverage and the contact details of the insurer not documenting a process for engaging an external provider to investigate a suspected data breach where necessary failure to understand and document the need for an investigation to be conducted expeditiously and for all reasonable steps to be taken to conclude an investigation within 30 days.
5.	Identification, Assessment and Notification Timeframes	Identification timeframes: The faster a breach is detected, the faster an APP entity can contain and limit its impact. During the reporting period, 64% of breaches were identified within 10 days of the breach occurring. Assessment and Notification timeframes: The obligation to assess an incident may be triggered before all the facts of the incident are known. Similarly the obligation to notify may be triggered before all the facts of the incident are known. Early assessment is recommended to ensure timely notification to the OAIC and affected individuals. Importantly, the Report identifies that 28% of notifications to the OAIC did not occur within the 30 day timeframe.
6.	Individuals should be at the front and centre of a data breach response	A key objective of the Scheme is to ensure individuals are promptly notified so they can quickly take steps to minimise their risk of harm. Effective actions identified by the OAIC include quickly putting steps in place to prevent further harm arising from a breach, and making improvements to security practices. APP entities should only notify individuals via their website where it is not practicable to notify individuals directly. Where this is the case, the website notification must include all the content required to be included within notifications to individuals.
7.	Regulatory Coordination	The OAIC has highlighted that APP entities may have multiple data breach reporting obligations, including under the Scheme, the SOCI Act, and the APRA Prudential Standards. The Australian Government is implementing measures to streamline the existing regulatory frameworks, including via the establishment of a National Office for Cyber Security.

Key takeaways

While the Report identifies health service providers, finance, insurance, retail, and the Australian Government as the sectors which are reporting the highest number of breaches currently, the Report has broad relevance for all APP entities.

The latest Report also contains important learnings for government agencies and universities in NSW which, since November 2023, have been subject to an equivalent NSW specific scheme and mandatory reporting obligations.

Key Tips:

• the OAIC expects APP entities to have established processes in place, to enable compliance with the requirements of the Scheme.

• APP entities must have an established data breach response plan in place to enable effective and timely assessment and notification in accordance with their regulatory obligations.

• Finally, an individual who has been impacted by a breach should always be ‘front and centre’ of the response. Prompt notification enables individuals to take action and ultimately minimise risk of harm.

In our experience, good data hygiene practices will always lie at the core of best practice when it comes to data breach readiness and response.

Compliance ‘basics’, such as developing and operationalising policies and procedures for data handling, implementing and testing your data breach response plan, and supplementing these steps with regular staff training can be fundamental to success in the event of a breach.

Stay informed by subscribing to our Privacy, Data & Information team updates. If you require assistance to develop or update your documentation, policies or processes please reach out to one of our team.