13 December 2022

The Office of the Australian Information Commissioner (OAIC) has just released its latest report on notifiable data breaches, covering the first six months of 2021, and it delivers some important messages.

The Privacy Act 1988 (Cth) stipulates that serious breaches of Australia’s privacy regime must be “notified” to the OAIC who analyse the facts and figures according to several different criteria.

Here is Moulis Legal’s take on the most interesting trends emerging from the data:

Who’s in the crosshairs

The “usual suspects” continue to crop up with alarming regularity. Yet again, the health services sector is seen to have suffered the greatest number of notifiable breaches. Financial services, education, and professional services have all maintained their unenviable positions in the top 5.

To a large extent, this constant presence of certain sectors in OAIC statistics simply reflects the huge quantities of valuable personal information these sectors process. Big, juicy targets are bound to attract the wrong kind of attention from the wrong kind of people. However, it also reinforces that these organisations need to be especially on their guard in terms of data protection and cybersecurity.

What’s going wrong

The majority of incidents continue to be caused by malicious actors (i.e. hackers), with human error accounting for almost all the remainder. By contrast, pure systems failure is responsible for only a tiny minority of breaches.

On the one hand, this is good news for CIOs – training and upskilling colleagues is usually quicker and cheaper than procuring and implementing new systems. On the flip side, it’s increasingly clear that these training and skills are now vital to protect businesses and data against “black hat” attacks. Everyone on the home team needs to be able and willing to play their part – it only takes one weak link for defences crumble.

Ransomware and hacking remain serious threats which require dedicated expenditure and expertise to confront. These are now business critical issues, not “nice to haves”. The Australian Cyber Security Centre’s “Essential Eight” is a list of the bare minimum cybersecurity strategies all organisations should implement.

Other areas of vulnerability include:

  • “social engineering” tactics such as phishing, where an individual is induced to reveal login details or authorise a fraudulent payment;
  • misdirection of emails (e.g. “fat finger syndrome”, where a message is sent to the wrong recipient) or inappropriate use of “reply all” or “bcc”;
  • losing or mislaying documents or devices containing personal information through human error e.g. the recent publication of data in error by Telstra.

Trends heading in the right direction

There has been a general downward trend in numbers of incidents since 2021. This is particularly noteworthy given that the rise in remote working during COVID lockdowns was widely expected to spark a significant increase in notifiable breaches.

To their credit, it seems that Australian businesses have risen to the challenges posed by a dispersed workforce using a disparate variety of devices and networks. In adapting to these new ways of working, companies seem to have managed to maintain (and even improve) levels of cybersecurity.

A further encouraging trend is that most reported incidents continue to affect fewer than 5000 individuals, with the vast majority affecting fewer than 100 each. The time taken to identify breaches also remains low at a rate of approximately 80% detection within 30 days. Given that the OAIC’s reports only cover notifiable data breaches (i.e. breaches likely to result in “serious harm” to the affected individuals), it looks promising that, overall, successful cyberattacks and other data breaches are decreasing in number and seriousness.

Having said that, there continues to be a small number of much more serious incidents, such as the recent high-profile beaches at Optus and Medibank. These suggest that hackers are unsurprisingly focussing their attentions on high-value targets. Although such targets can be expected to have more robust cybersecurity systems in place, they may nevertheless present a more attractive proposition than smaller, more exposed organisations because of their deeper pockets (and therefore greater ability to pay ransoms), their larger databases of valuable personal information, or maybe a mixture of the two.

Privacy takeaways and steps that need to be taken

The cost of complacency

More cyber-attacks are being launched against Australian businesses than ever before. At the same time, public awareness of data theft is increasing, as are the consequences of failing to comply with the legislation. Although some organisations may have previously underprioritised cybersecurity, seeing the risk of either suffering an attack or copping a fine as acceptably remote, hefty new fines imposed by Parliament are designed to make risk mitigation and security measures more cost-effective than non-compliance.

Although the Privacy Act has historically imposed relatively modest penalties for data breaches, this has now changed dramatically with big increases to maximum penalties for data breaches. Maximum penalties for individuals have risen from AUD 444,000 to AUD 532,800, and penalties for corporations have risen from a cap of just over AUD 2 million to whichever is the highest of:

  • AUD 50 million;
  • 3 times the value of any benefit; or
  • 30 per cent of the corporation’s turnover in relevant period.

This brings Australia more into line with jurisdictions such as the UK and EU (where penalties of up to EUR 20 million or 4% of worldwide annual revenue can be levied).

In addition, data breaches may have other effects such as negative impacts on a business’ reputation, increased costs (internal and external) of firefighting a breach, loss of future revenue as customers turn to other suppliers, and payment of compensation to affected customers.

Time for some housekeeping

A specific major area of risk identified by recent data breaches is the need to destroy or de-identify personal information as soon as it is no longer needed, as set out in Australian Privacy Principle 11. This is also reflected in the OAIC’s recommendation of “privacy by design”, where privacy and security are designed into systems and processes as foundational principles rather than ancillary functionalities.

However, a general lack of clarity has led to poor levels of compliance and many Australian businesses have got used to treating customer information as an asset rather than a liability. Instead of retaining all such information “just in case”, a better strategy would be to get rid of it whenever appropriate – if you haven’t got it, you can’t be responsible for it being stolen, lost or misused. The New Year is looking like a good time to clear out the filing!

Next steps

In general, all individuals and organisations handling personal information in Australia need to be acutely aware of the threat of data breaches occurring, and of increased penalties for failure to prevent them.

In order to mitigate this threat, they should ensure they review and update their processes and procedures, and roll out best practice training and implementation to make sure the rules are properly understood and followed. If you would like to discuss any aspect of your data privacy or cybersecurity operations, please contact our specialist team.

This memo presents an overview and commentary of the subject matter. It is not provided in the context of a solicitor-client relationship and no duty of care is assumed or accepted. It does not constitute legal advice.

© Moulis Legal 2022