We have been warned: tighter policing of the Notifiable Data Breaches Scheme in the wake of the Banking Royal Commission

The ripples (or perhaps, waves) created by the Banking Royal Commission are expected to impact upon the manner in which many all Australian regulators approach their enforcement activities, not merely those responsible for the financial services sector.

In particular, it appears that a new approach may be adopted by of the Office of the Australian Information Commissioner (OAIC) with respect to the manner in which it regulates the Notifiable Data Breaches Scheme (NDB Scheme).

Background

No additional resources were given to the OIAC to regulate the NDB Scheme upon its introduction in February 2018. Accordingly, the diverted resources available have been focused on processing notifications and selecting a limited number for further attention.

However, at a recent presentation, the OAIC noted the impact that the Banking Royal Commission is likely to have on the approach of Australian regulators in response to the 'community expectation' that they be more proactive. It was suggested that the business community should expect to see the OAIC's response to those shifting expectations 'over the next couple of years'.

The warning was subtle, but clear: we can expect to see the OAIC take a more active approach to compliance with the NDB Scheme and the Privacy Act 1988 (Cth) (Privacy Act) more generally.

Accordingly, now more than ever, it is prudent for organisations to ensure that they have the necessary policies and practices in place to respond to a data breach in the manner required under the NDB Scheme.

Application of NBD Scheme

The NDB Scheme applies to agencies and organisations which are subject to the Privacy Act. This includes, amongst others, organisations with an annual turnover of $3 million or more, Australian Government agencies, credit reporting bodies, and health service providers.

The NDB Scheme only applies to data breaches involving personal information that are likely to result in serious harm to any individual affected. These are referred to as ‘eligible data breaches’ or 'notifiable data breaches'.

When an agency or organisation becomes aware of reasonable grounds to believe an eligible data breach has occurred, they must promptly notify the OAIC and any individuals at likely risk of serious harm. The  potential consequences for failing to report a notifiable data breach are serious. Such a failure is considered an interference with the privacy of individuals which can attract civil penalties of up to $2.1 million.

The state of play

The OAIC Notifiable Breaches Quarterly Statistics Report for July - September 2018^[1] showed that:

1. 92 (37%) of the 245 reported data breaches were attributable to human error;
2. these human error breaches predominantly included unauthorised disclosures via verbal communications, failure to redact information, unintended publication of information, and information sent to the wrong recipient; and
3. many of the breaches attributable to malicious or criminal attacks also involved an element of human error whereby the perpetrator targeted and exploited vulnerabilities due to the involvement of a human factor (for example, an individual clicking on an attachment to a phishing email). Accordingly, of the 245 total breaches, the majority can be said to have involved at least some element of human error.

This data is useful to businesses as it identifies some of the key areas in which they should direct their attention for the purposes of reducing the risks associated with in operating in an era of tighter regulation. 

Avoiding data breaches caused by human error

Various steps can be implemented as part of standard work procedures which can reduce the risk of human error. These include:

1. requirements for strong passwords;
2. automated notifications that warn of the fact that an email is to be sent to external recipients; and
3. training of staff to increase their awareness of their responsibilities with respect to the handling of personal information and how outside agents might seek to exploit any weaknesses.

A common example of human error causing a data breach is inadvertently sending an email to the wrong recipient. Sending personal information to the wrong recipient via email accounted for 12% of all data breaches reporting during the last quarter.^[2]

However, the number of such occurrences is likely much higher. This is because the contents of the email, the circumstances in which it was sent, and the subsequent actions of the organisation will determine whether notification is the appropriate response to such a breach.

For example, were an email is only sent to one person who is known to the sender, it may be enough to avoid any likelihood of serious harm (and thereby the need to notify the OAIC and the affected individual) if the sender contacts the recipient and receives an assurance that the recipient has deleted the email.

Conversely, if the email is sent to a large pool of recipients, or an individual that is not well known to the sender, it may be impossible for the organisation to be satisfied that the likelihood of serious harm has been eliminated. It is in this scenario that notification of the breach might need to be given.

But not all human error is inadvertent. A specific, real life example of a notifiable data breach caused by human error involved a UK healthcare entity. Sensitive patient data held by the entity was not destroyed or deep cleaned off hard drives which were then sold second hand on eBay. The entity failed to ensure that they engaged a data controller who was able to provide guarantees of technical security, despite the hard drives being identified as an "obvious risk". It also did not ensure sufficient records were taken to create a reliable audit trial for the hard drives and their status. As a result, 79,000 records were compromised. Rigorous risk management processes could have prevented this breach.  

Prepare for the worst

No amount of training or security safeguards will eliminate the risk of data breaches caused by human error. So, in conjunction with the steps outlined above, steps should be taken to prepare the organisation's response to a breach. Primarily, this involves ensuring your data breach response plan is up-to-date, in place and has been thoroughly tested. 

Running hypothetical "breach" scenarios is one practical way in which an organisation can test the efficacy of its data breach response plans. For example, organisations often send fake phishing emails to their employees which record whether any employees are caught by the emails as a way to identify any need for additional cyber security training.

Organisations can use the response of its employees to such emails as the catalyst for a test of their data breach response plan. That is, upon receiving a response from an employee that would compromise one of its systems had it been a real phishing email, the organisation could then run through the practical consequences of a subsequent breach. What type of data could have been compromised? How many individuals would have been affected? Who would constitute the organisation's response team? Who would need to be notified of the breach? Such testing is an effective way to ensure that the data breach plan and procedures an organisation has in place will work in reality, or whether there are improvement opportunities which can be implemented.   

Key takeaways

A clear message has been sent to business that 'community expectations' will likely lead to stronger regulatory action.

The OAIC's scrutiny of compliance with the NDB Scheme is expected to increase over the next few years. Organisations and agencies should ensure that they have robust and tested procedures in place so as to avoid attracting the attention of the regulator at the worst possible time.

Taking practical measures to prevent breaches is important. Ensuring that your organisation or agency has compliant privacy policies and practices, and that all staff are adequately trained and tested, could prevent a notifiable data breach.

But being prepared in the event of a breach is equally important. Organisations should practice and prepare for a data breach. This will obviously include implementing and testing a data breach response plan. However, organisations and agencies are also encouraged to audit their systems to identify what personal information each system contains. This information is crucial when a system is hacked, or exposed by human error, and a decision needs to be made as to the potential privacy implications for affected individuals.