The number of data breaches reported in Australia has risen 712 per cent since the introduction of the privacy watchdog’s mandatory reporting scheme.
The scheme, introduced one year ago, requires Australian entities with an annual turnover of $3 million or more, with few exceptions, to report any data breaches likely to result in “serious harm” to the Office of the Australian Information Commissioner.
The latest report, released by the OAIC this week, shows a continued trend of human error leading to breaches, with health and finance as the worst offending sectors.
The OAIC report warned organisations which fail to comply could face regulatory action but also urged organisations to “move beyond a purely compliance mindset”.
Under the previous voluntary reporting scheme, in its corresponding 12 months just 159 breach notices were filed.
In contrast, the mandatory reporting scheme has produced 964 reported breaches in its first year.
According to the latest report, “The increase in notifications reflects a significant increase in entities’ awareness of and compliance with their obligations to notify the OAIC and affected individuals where a breach of personal information is likely to result in serious harm.”
Of the reported breaches in the last 12 months, 60 per cent resulted from malicious or criminal attacks, while 35 per cent came from human error. Just five percent were the result of system faults.
A breakdown of sectors shows health service providers and finance entities reported the most breaches, a reflection of the scale and sensitivity of data and volume of data processing common in the sectors, according to the report.
Both the finance and health sectors had significantly higher rates of human error leading to breaches, including several instances of personal information being sent to the wrong recipient, according to the report.
The size of the breaches reported to the OAIC are relatively small. 83 per cent affected fewer than 1,0000 people and just 15 affected over 50,000. The small scale breaches are likely a result of poor practices from individual employees while the rarer large scale breaches involved multiple parties.
The most common information compromised in a breach was contact information, followed by financial details and identity information. Entities are only required to report breaches if they are likely to result in “serious harm” to individuals. And while contact information is unlikely to do that it can create phishing scenarios and subsequent harm to individuals, a scenario entities were recognising in their reporting, the report said.
Australian Information Commissioner and Privacy Commissioner Angelene Falk said with one year of enforcement organisations covered by the scheme should now be complying.
“After more than 12 months in operation, entities should now be well equipped to meet their obligations under the scheme, and take proactive measures to prevent breaches of personal information.
“The requirement to notify individuals of eligible data breaches goes to the core of what should underpin good privacy practice for any entity — transparency and accountability.”