Australia does not yet have mandatory data breach notification laws (see last year’s ALRC proposals) so we don’t know about breaches other than those that get public notoriety (eg files dumped in bins, stolen laptops or forgotten CD’s.)
But we can learn from those breaches analysed in the USA: Verizon has published its 2009 Data Breach Investigations Report.
Its analysis of data breaches concluded:
- 74% were caused externally, 20% internally;
- 67% were aided by errors, 22% involved privilege misuse;
- 69% were discovered by a third party, 87% were considered avoidable through simple controls.
The 5 recommendations were:
- Ensure essential controls are met.
- Have data retention policies: find, track, and assess data.
- Collect and monitor event logs.
- Audit user accounts and credentials.
- Test and review web applications.
In Australia the Privacy Commissioner has issued a Voluntary Data Breach Notification Guide.