Data breaches up, so protecting yourself is crucial, says new OAIC Report

Monday’s latest Notifiable Data Breach Report from the OAIC highlighted the significant rise, year on year, of data breaches affecting Australians, with increasingly severe and far-reaching impacts on personal data – and on the organisations affected by them.

The OAIC's Report provides not only guidance to the organisations affected by a data breach, but also recommended considerations that can play a role in protecting individual privacy whilst reducing the likelihood and impact of data breaches, thereby improving the cybersecurity posture and compliance with regulatory requirements.

Data breaches in Australia: the key takeaways from the OAIC Report

Data breaches are on the rise, with a 9% increase in data breach incidents this reporting period (January to June 2024) compared to the previous six months.

No sector is immune to data breaches, with both public and private entities being impacted, as evidenced in the OAIC's Report; but of those that reported data breaches:

• Continuing from the last reporting period, the Health sector remains the top sector affected by notifiable data breaches.
• Government agencies are experiencing increasing number of data breaches and have moved up from fifth place to second, with a 65% increase in notifiable data breaches compared to the last reporting period.
• The Education sector, which did not appear in the top five in the previous reporting period, is now among the top four sectors affected in Australia.

Cyber security incidents continue to remain as the top cause of data breaches, accounting for a total of 38% of the all the data breaches reported. These cannot all be blamed on technical deficiencies. The human element in protecting individual privacy and security cannot be stressed enough. Human error contributed to 30% of breaches, mostly involving misdirected emails and unauthorised disclosures.

The OAIC is adopting a risk-based and harm-focused approach in taking regulatory action in response to a data breach. To support that, the OAIC has the authority to conduct investigations, accept enforceable undertakings, and issue determinations to organisations as needed.

What can organisations do to improve their data protection?

One thing is clear from the OAIC Report, if it wasn’t already: protecting individual privacy must be a top priority for organisations, not an afterthought.

That means you should recognise that individuals, clients, third-party stakeholders, and the OAIC expect a privacy-centric approach to be embedded in all aspects of their business operations, ensuring compliance with the privacy obligations.

Below are some actionable considerations:

• Build tone from the top: Data breaches have the potential to impact individuals' privacy on a significantly large scale. As stated in the OAIC's Report, Medibank allegedly interfered with the privacy of 9.7 million Australians by failing to take reasonable steps to protect their personal information. In an era where, on the one hand, organisations are collecting and processing large volumes of customer data and, on the other hand, there is an increasing number of sophisticated cyber-attacks, it is imperative for organisation's leadership teams to actively oversee their privacy practices and foster a culture of responsibility and accountability. This should start with organisations understanding the nature of their data holdings, including personal information holdings, and establishing "fit for purpose" privacy and security governance arrangements.
• Implement robust security practices: Organisations must adopt robust cybersecurity practices and technologies to safeguard individuals' personal information against the evolving threat landscape. As highlighted in the OAIC's Report and supported by our experience, a "defence-in-depth" strategy should be employed, incorporating multiple layers of security measures throughout the organisation. This approach ensures that personal information remains protected even if a particular control fails. For organisations seeking to establish effective security measures to protect such information, the OAIC's Report recommends aligning their processes, policies, and administrative activities with cyber security standards and frameworks such as the ASD’s Information Security Manual, NIST Cybersecurity Framework, ISO 27001/2, and ASD’s Essential Eight.
• Manage supply chain risks: Third-party suppliers are not just external entities, but an integral parts of many organisations when it comes to the collection and management of the personal data they hold. Organisations must realise that while they could delegate their operational processes to these third-party suppliers, they cannot completely transfer their responsibilities for cyber security and privacy risks. In fact, from our experience, using a third-party supplier often introduces a heightened privacy risk which the organisation should carefully consider. Therefore, organisations must thoroughly evaluate the systems, processes, and procedures adopted by their third-party supplier in protecting personal information. Additionally, organisation should assess how these third-party suppliers manage privacy and security protection with their own downstream fourth- and fifth-party suppliers to ensure comprehensive privacy protection throughout the supply chain.
• Train and educate staff at all levels: Employees across all levels of the organisation, should be aware of their privacy and security responsibilities. As suggested in the OAIC's Report; to mitigate the risk of human factor as a root cause of a data breach, organisation should educate their staff to reduce technical errors but also educate them to be aware of their privacy and security obligations. Additionally, organisations must consider the likelihood of an insider threat when developing these training and educational programs. From our experience, organisations generally focus on training their staff to protect individual privacy and security from external threats but tend to neglect that such threats could also present within their organisation.