key takeaways
Could an increase in data breaches be another one of COVID-19's devastating domino effects?
Shortly after December 2019 made its name in the history books with the introduction of the COVID-19 pandemic, the Office of the Australian Information Commissioner (OAIC) published its fifth Notifiable Data Breaches Statistics Report.
This report came with an astounding 119% jump in reported data breaches. There is no denying that this begs the question of can this be just a coincidence of such a rise around the time of the worldwide introduction of COVID-19, or is there more to it?
Jumping forward to today – are we still in strife?
The OAIC publishes a Notifiable Data Breaches Report every 6 months. Recent statistics pulled from the reporting period July to December 2021 show a total 6% jump in data breaches from 436 to 464.
According to the OAIC, 55% of breaches were malicious or criminal activity, and 41% were human error. Most (96%) of breaches involved personal information of 5,000 individuals or less, and 71% of data breaches affected 100 people or less.
Malicious or criminal attacks decreased from 64% to 55%, whereas human error was up 43% (from a total of 133 to 190). The mass of these human errors consisted of 43% being personal information emailed, faxed or posted to the wrong recipient and 21% being unintended release or publication of information. The most common type of information breached was personal information, such as:
- Contact information;
- Identity information; and
- Financial details.
The top industry culprits were:
- Health service providers;
- Finance;
- Legal; and
- Accounts and management services.
The OAIC reported that 80% of total breaches were identified within 30 days of it occurring.
COVID-19 correlation – is there one?
The first reported case of COVID-19 was in December 2019, whereas the highest spike in privacy breaches occurred one month prior, in November 2019. This month saw a totalling 106 breaches being reported to the OAIC.
However, it is hard to draw our vision from the fact that there was a sudden 119% jump in between reporting periods around the time of the introduction of the pandemic that stopped the world.
There are several questions that run through our minds when reading the statistics. Did the newly unemployed take to malicious online behavior? Or could this simply be explained by our well-loved working from home engagements? Especially recently given the rise in human error?
The OAIC Notifiable Date Breach Scheme has been in place since 2018. Could this data simply be explained by the fact that more entities were partaking in reporting practices one year since establishment, with no correlation to COVID-19 whatsoever?
Or is it simply that there is a rise in the use of technology and online currencies?
What can you do to protect yourself?
The OAIC stated that they are finding that many organizations are falling short of the scheme's assessments and notification requirements, with there being no identifiable correlation to COVID-19 for the spike in breaches.
The Privacy Act 1988 outlines the 13 Australian Privacy Principles, which should be the first-point reference to any entity unsure of its rights and obligations. These obligations include the management of personal information and security measures.
The Australian Privacy Principles are available on the OAIC website.
Privacy obligations are not to be taken lightly, as a failure to comply can lead to not only a higher risk of being exposed to data breaches but also fines of up to 2.1 million.
These fines could substantially increase under the drafted bill, which is expected to be passed by the end of 2022. It proposes an introduction of fines of up to 10 million dollars, three times the value of the information obtained through the breach or 10% of the annual revenue.
conclusion
With the recent rise in privacy breaches due to human error, businesses must be taking measures to ensure staff are adequately trained and that security measures remain up to date with the Australian Privacy Principles. If unsure, the engagement in a privacy impact assessment by a cybersecurity expert should be undertaken.
get in touch with us!
McInnes Wilson Lawyers can help:
- Assess your current data management plan and advise of ways to limit your exposure;
- Develop or build on your data management plan that sets out the roles and responsibilities for managing data breaches;
- Develop processed for data containment in the event of a potential breach;
- Advise on strategies to mitigate future breaches;
- Liaise with the right informational technology and security experts to assist with the protection of private information; and
- Advise on your exposure to penalties under the Privacy Act.
If you require any assistance or have any questions, please fill out the enquiry form below and mention this article for an obligation-free appointment.
Principal
Don't Miss a Beat
Subscribe to MCW Insights
Still Have Questions?
Make an Enquiry