By ,
09/21/2021 · 4 minute read
Under the Notifiable Data Breaches (NDB) scheme, any organisation or Australian government agency covered by the Privacy Act 1988 (Cth)[1] (Privacy Act) must notify affected individuals and the Australian Government, Office of the Australian Information Commissioner (OAIC) when a data breach is likely to “result in serious harm to an individual whose personal information is involved.”[2]
Twice a year the OAIC publishes a report on the notifications received under the Notification Data Breach (‘NDB’) scheme. The most recent report was released on 23 August 2021 (NDB Report), covering notifications received between 1 January and 30 June 2021 (the reporting period).
The following is a summary of the findings set out in the NDB Report:
Industry |
Number of Notifications |
Health service providers |
85 |
Finance (including superannuation) |
57 |
Legal, accounting and management services |
35 |
Australian Government |
34 |
Insurance |
34 |
Cyber Incident Type |
Percentage |
Phishing (compromised credentials) |
30% |
Compromised or stolen credentials (method unknown) |
27% |
Ransomware |
24% |
Hacking |
9% |
Brute-force attack (compromised credentials) |
5% |
Malware |
5% |
1) Rise in impersonation fraud calls for tighter security measures
Impersonation fraud involving a malicious actor gaining access to accounts, systems, networks, or locations by impersonating another individual, remains a common method of breach. Accordingly, regular revision of security measures, and adopting robust identity verification processes including multifactor authentication is highly recommended by the OAIC.[3] Furthermore, adequate training in verification processes and notifying customers of account changes and sign-in attempts are additional methods to prevent further impersonation fraud from occurring.[4]
2) OAIC recommendations on assessing ransomware
During this reporting period the OAIC notes a number of entities have relied upon the absence of evidence as to whether data has been accessed, viewed and/or exfiltrated, to conclusively determine that the incident is not deemed an eligible data breach. The OAIC have made clear their position that such an assessment is insufficient.[5]
On the contrary, where an entity cannot confirm whether data has been accessed, viewed and/or exfiltrated, is generally still deemed reasonable grounds to suspect that there may have been an eligible data breach and will require an assessment under s26WH of the Privacy Act.[6]
As ransomware attacks remain significant, the OAIC have also recommended some internal practices, procedures and systems in place to assess and respond to ransomware. These include having[7]:
3) Human error breaches remain a cause for concern
While human error breaches decreased this reporting period, this risk remains a major source of data breach. During this period, there were a significant number of cases where an average of 523,998 individuals were affected per breach due to unauthorised disclosure of information.[8]
The human factor also plays an integral role in many cyber security incidents, such as email phishing. Thus in order to reduce the risk of human error, organisations need to ensure employees are given adequate training and handling controls and practices should be put in place.
If you would like to review the full Notifiable Data Breaches Report, please do so here.
Meanwhile, if you have any questions regarding the Notifiable Data Breaches scheme, please contact our dedicated team of Cyber experts who can provide advice on cyber risk management and insurance solution.
LCPA: 21/340
Marsh Pty Ltd ABN: 86 004 651 512, AFSL: 238 983.
This document is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Marsh shall have no obligation to update this publication and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Any statements concerning actuarial, tax, accounting, or legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, accounting, tax, or legal advice, for which you should consult your own professional advisors.
[1] Entities covered under the NDB scheme generally include Australian Government agencies, businesses and non-for-profit organisations that have an annual turnover of more than AU$3million, private sector health service providers, credit reporting bodies, credit providers, entities that trade in personal information and tax file number (TFN) recipients.
[2] ss 26WE, 26WK and 26WL of the Privacy Act 1988 (Cth)
[3] NDB Report Page 16.
[4] NDB Report Page 16.
[5] NDB Report Page 18.
[6] NDB Report Page 18.
[7] NDB Report Page 18.
[8] NDB Report Page 19.