The Office of the Australian Information Commissioner has published its first Quarterly report on the Notifiable Data Breaches Reporting Scheme since its introduction on 22 February 2018. Background.
The OAIC received 63 data breach notifications under the scheme during the first six weeks of the scheme’s operation. In the 2016–17 financial year, the OAIC received 114 data breach notifications on a voluntary basis.
Causes
Human error was the cause of the largest number of eligible data breaches reported to the OAIC (51 per cent). Human error may include inadvertent disclosures, such as by sending a document containing personal information to the incorrect recipient. This was closely followed by malicious or criminal attacks as the source of the data breach (44 per cent). Malicious or criminal attacks usually involve the theft of personal information, or cyber security incidents resulting from unauthorised access to an entity’s systems. Data breaches were also caused by system faults (3 per cent).
Sectors
The top five sectors that notified the OAIC of eligible data breaches were health service providers (24 per cent of notifications), legal, accounting and management services (16 per cent), finance (13 per cent), private education (10 per cent), and charities (6 per cent).
Types
The majority of data breaches reported to the OAIC involved ‘contact information’ (78 per cent), such as an individual’s name, email address, home address or phone number. This is distinct from ‘identity information’, which refers to information that is used to confirm an individual’s identity, such as driver licence numbers and passport numbers. Entities also reported data breaches that involved individuals’ tax file numbers, financial details (30 per cent), such as bank account or credit card numbers, as well as health information (33 per cent).
90 per cent of data breach notifications related to breaches involving the personal information of less than 1,000 individuals. 59 per cent of data breach notifications reported that the personal information of between one and nine individuals was affected.