February 16, 2019

February 15, 2019

Subscribe to Latest Legal News and Analysis

February 14, 2019

Subscribe to Latest Legal News and Analysis

February 13, 2019

Subscribe to Latest Legal News and Analysis

Australian Information Commissioner Office’s Releases Report on Notifiable Data Breach Scheme

The Office of the Australian Information Commissioner (OAIC) released its second quarterly statistics report into the Notifiable Data Breach Scheme on 31 July 2018 (Report), providing further insight into the operation of the new scheme, which commenced February this year. The scheme provides for mandatory reporting of ‘eligible’ data breaches to the OAIC and to potentially affected individuals. Whether a data breach is eligible depends on whether the unauthorised disclosure, or loss, of data is likely to result in serious harm to affected individuals.

The OAIC recorded over 200 data breach notifications in the Report period between 1 April and 30 June 2018.  The OAIC previously released data breach notification figures for the period spanning 22 February, when the schem commenced, to 31 March 2018. During this short six-week period the OAIC received approximately 10 notifications per week. IN the second reporting period the notification rate has increased, with the OAIC recording approximately 18 notifications per week.

In total, the OAIC received 242 data breach notifications in the second quarter of 2018, taking the total number of notifications received since the scheme’s implementation to 305.

The Report highlighted harrowing data breach figures, recording a number of significant data breaches, including a breach which affected between 1 to 10 million Australians. The Report does not offer exact figures for the number of Australians affected by data breaches in the most recent quarter, but does provide a series of bands indicating the range of individuals affected by each incident. The majority of data breaches involved relatively small groups of affected people with 61% of data breaches involving 100 individuals or fewer, and 38% affecting fewer than 10 Australians. While these figures provide some comfort, even where the numbers are low it does not follow that the level of harm is also low.

A significant proportion of breaches affected far broader sections of the community. Over 14% of all notifications received by the OAIC affected more than 1,000 individuals.  Undertaking a general analysis of the figures provided, treating each incident as if it were the median figure of its respective band, the Report indicates that up to 5.3 million Australians have been impacted by a data breach in the most recent quarter alone.

The Report provides much needed clarity into the nature of data breaches occurring in Australia, helping businesses to target their efforts at prevention. Figures provided in the OAIC’s first quarter report indicated that the cause of data breaches is evenly split between malicious or criminal attack and human error at 44% and 51% respectively. However, the updated second-quarter figures provide a more one-sided picture, citing 59% of breach notifications as a result of malicious or criminal attacks, while the percentage of human error reduced to 36%. Considering the figures provided by the OAIC through 2018 so far, the total breakdown by breach type is as follows:

Type of Breach Percentage
Malicious or Criminal 56%
Human Error 39%
System Failure/Other 5%

These figures highlight the importance of a dual-layered approach to cyber-security and privacy compliance. Robust information-technology and cyber-security safeguards to protect against malware, ransomware and other cyber-attacks are not enough – in order to fully protect personal information from unauthorised access, disclosure or loss, the human element of any organisation must be addressed. An organisation’s cyber-security is not a case of “set and forget”. Adequate data protection compliance will only be achieved through the implementation of clear and thorough information handling policies and through ongoing training and evaluation of staff conduct to minimise the inevitable “human error”.

If you would like to review the Report in detail please visit the OAIC’s website, available here, for further information.

© Copyright 2019 Squire Patton Boggs (US) LLP


About this Author

Margie M. Tannock, Squire Patton, Corporate Governance Lawyer, Australia, Land Access Attorney

Margie Tannock’s practice focuses on advising clients from all sectors on statutory approvals, corporate governance, compliance and public law. She works closely with clients to resolve regulatory risk across all aspects in corporate decision making, especially relating to major projects, environmental, planning and land access authorisations.

Margie delivers strategic advice and commercial solutions involving property and infrastructure developments. She has advised on regulatory permitting and licencing for major resource and energy projects, including port,...

61 8 9429 7456
Charlotte Osborne, Squire PB, environmental lawyer
Senior Associate

Charlotte Osborne advises clients from all sectors on planning and environmental law, and related regulatory and public law matters.

Charlotte is an approachable and pragmatic lawyer with more than 11 years’ experience advising clients from a range of sectors in regulatory, local government and commercial law.

As part of the Energy & Natural Resources team, Charlotte mainly advises in the areas of town planning, development, environmental, administrative and public law.

Prior to joining the firm, Charlotte practised environment and planning law and general commercial law with an international law firm in Perth. Charlotte also practised law for six years in England, working for local government with a focus on planning and projects.

61 8 9429 7592
Connor McClymont, Corporate lawyer,Squire PB

Connor McClymont is an associate in our Corporate Practice Group, advising clients on a wide range of corporate transactions, focussing on capital markets and corporate governance. He has advised clients on a range of matters in related fields, including data privacy and cybersecurity, migration and consumer protection.

Connor has experience assisting on capital market raisings, such as rights issues and placements, and conducting due diligence for a variety of domestic and cross-border transactions.

61 8 9429 7534