The Office of the Australian Information Commissioner (OAIC) has published its Data breach report for July to December 2023.
The risk of outsourcing personal information handling to third parties and the reporting of multi-party breaches is highlighted in the latest data breach statistics.
The report explains that when a single data breach affects multiple entities, the OAIC may receive multiple notifications relating to the same incident.
Notifications relating to the same incident are counted as a single notification in this report to avoid information being duplicated. However, the volume of secondary notifications may be indicative of the level of multi-party breach reporting.
There was a significant increase in the number of secondary notifications (121 notifications) from the previous reporting period (29 notifications).
Most of these multi-party breaches involved a data breach of a cloud or software provider, which then impacted the clients who had outsourced their personal information handling to those providers.
In this reporting period, multi-party breaches involving contracted service providers highlighted 2 issues:
• the lack of data retention or destruction clauses in contractual agreements following the
cessation of services
• the lack of clearly defined responsibilities should a data breach occur, including who should assess and/or notify the breach.
Other issues
The July to December 2023 period saw 483 data breaches reported to the OAIC, up 19% from the first half of the year.Â
Malicious or criminal attacks remained the leading source of data breaches, accounting for 67% of all notifications, and the majority of those were cyber security incidents.
The health and finance sectors remained the top reporters of data breaches, with 104 and 49 notifications respectively.
Cyber incidents continued to be the leading cause of data breaches that impacted a large number of Australians. Of the 26 breaches that affected over 5,000 Australians, 22 were caused by cyber incidents. The top causes were compromised or stolen credentials (9 notifications), ransomware (8 notifications) and hacking (4 notifications).
If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.
Author: David Jacobson
Principal, Bright Corporate Law
Email:
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.