By Roger Carvosso, Product and Innovation Director
Australia’s new data breach notification scheme has been operating for several months. The scheme requires businesses – as well as government agencies and not-for-profits – that handle personal information and turn over more than $3 million per year to notify people affected by serious data breaches.
They must also inform the Office of the Australian Information Commissioner (OAIC). Failing to meet their obligations could cost businesses up to $2.1 million in fines.
The April-June 2018 Notifiable Data Breaches Quarterly Statistics Report revealed organisations had notified the OAIC of 242 breaches – 59% of which were due to malicious or criminal attacks. A further 36% were due to human error, while only 5% were caused by system faults. While 89% of data breaches compromised contact information, a worrying 42% involved financial details, 39% involved identity information and 25% involved health data.
The most common human error was sending email to the wrong person, followed by the unintended release or publication of personal information. However, the OAIC noted that data breaches involving the loss of storage devices affected the largest number of people, at an average of 1,199 affected individuals per breach.
The Australian Cyber Security Centre (ACSC) found at least 77% of cyber incidents during the quarter occurred due to the theft of credentials such as usernames and passwords.
More information is available from the OAIC and the ACSC.
So what are the lessons for small businesses from the launch of the scheme and the April-June report? The key is to recruit or build security capability internally to comply with the requirements of the data breach notification scheme. The second is to implement robust security systems, policies and processes to minimise the risk of data breaches. Importantly, this is not a ‘set and forget’ exercise – these systems, policies and processes must be updated regularly to combat new threats and to ensure workers and managers remain aware of their obligations.