Data breach: don't think it won't happen to you

Late last month marked eight months since the introduction of Australia’s notifiable data breach laws.

The milestone passed without much fanfare. But don’t let that lack of publicity disguise the vital importance of the Notifiable Data Breach Scheme to your business – and most of all, don’t make the mistake of thinking a data breach is something that just happens to other people.

As Andrew Solomon, from the Office of the Australia Information Commissioner, told a Perth GRC Institute event recently – it’s far more a case of when rather than if your business will have to deal with a data breach. Communicating with stakeholders is a vital part of any response to a breach.

“It’s very unlikely an organisation will never have one,” Deputy Commissioner Solomon said.

Here are five other key takeaways from the third set of quarterly statistics released under the NDBS.

1. Human error will always be there: Somewhere, back in the deep recesses of human history and long before the Internet was a thing, some poor person somewhere screwed up by sending the carrier pigeon to the wrong place (or the bird just flew there of its own volition). The Notifiable Data Breach Scheme didn’t exist way back then but the same ability to make a hash of things lives on.Step forward the 29 incidences between July 1 and September 30 of personal information being sent to the wrong recipient by email, the six reported failures to use BCC when sending an email, the 13 times information was simply sent to the wrong person by old-fashioned snail mail, and 13 times paperwork or a data storage device was just plain lost. You can put in place as many IT procedures as you like (and you should!) but where human beings are involved, so too will there be human error.
2.  We’re a malicious bunch: Well, probably only as a minority …  but in the abbreviated first set of NDBS  figures released by the OAIC – covering February 22 to the end of March – only 40 per cent of notified breaches were found to be malicious. In the second statistical release, covering a full three months from April through to the end of June, that proportion had risen to 59 per cent.This time it was 57 per cent.It’s actually the percentages within the percentages that are the most interesting: 69 per cent of all malicious or criminal attacks were cyber incidents, half of which were the result of “phishing.” Twelve  per cent of cyber incidents involved “brute force” and a combined 19 per cent came from either malware, ransomware or hacking. The lesson? You can’t be too careful with anything you do online.
3. An “unhealthy” situation: If there’s a consistent theme through the first three statistical releases from the scheme, it’s that the health sector is the major “offender”. It has been the leading sector for breaches each time: from 35 per cent in February and March, to 20 per cent from April 1 to June 30 and now 18 per cent for July, August and September. That situation mirrors what has been observed overseas.Interestingly, the health providers category may very well include your local gym or child care centre but possibly not the state-owned hospital down the road. Health service providers within the scheme are restricted to the private sector and do not generally include state or public territory public hospitals, which are instead bound by local privacy laws.
4. We’re ahead of schedule: One very interesting aspect of the recent Perth event was learning that the OAIC had “budgeted” on having perhaps 500 breaches reported in the first year of operation. It based this estimate, in part, on the experience of Holland, which introduced its own scheme in 2015.In actual fact, there have been nearly that many – a total of 487 – over the past two quarters alone. Is it cause for concern? The OAIC says “no” and that in many ways it’s good to see people adhering to the scheme.
5. Hold tight: With the scheme not even a year old, there is going to be some volatility in the statistics. Breaches in the legal and accounting sector were up 70 per cent in the July-September quarter but the OAIC believes that jump merits a “wait-and-see” approach. It could actually be a product of heightened understanding of the scheme or an increased commitment to compliance – rather than a rash of breaches.

Cannings Purple Director of Digital Jamie Wilkinson is an expert in proactively preparing communications strategies to respond to data breaches and managing communications during a data breach crisis. Email Jamie.

You can also download our Data Breach Whitepaper