The Privacy Commissioner's latest Notifiable Data Breaches (NDB) Report for January to June 2020 provides important insights and take-aways for organisations and Federal government agencies bound by the Privacy Act.
The key finding of the report is that malicious or criminal attacks remain the leading cause of data breaches, with human error continuing to be the second largest cause of data breaches. This is perhaps not surprising given the well-publicised increase in cyber-attacks during the COVID-19 crisis. What may be surprising (at least to some) is that the OAIC's view is that changed business practices in response to COVID-19 do not appear to have resulted in an increase to the number of reported data breaches.
In addition to the usual statistical analysis of sources and trends of data breaches, the latest report provides interesting analysis of the time organisations take to notify following a data breach, as well as providing an example of what to include in a best practice data breach notification. The message from the OAIC is clear: the OAIC will continue to closely monitor compliance with data breach notification and data security obligations, COVID-19 pandemic or not.
Criminal attacks as cause, not COVID-19 changes
The report contains a number of key findings, one of which is the increase in notified data breaches caused by ransomware attacks and impersonation:
- the number of data breach notifications attributed to ransomware increased by 150% compared to the previous reporting period.
- malicious actors and criminals were responsible for three in five data breaches notified to the OAIC over the past six months.
- the number of notifications resulting from social engineering or impersonation increased by 47% during the reporting period.
Malicious and criminal attacks remain the leading cause of data breaches notified to the OAIC, accounting for 61% of all notifications.
The number of eligible data breaches reported was 518, a slight reduction from the 532 reported in the previous six-month period. The cause of reported data breaches remains fairly constant and consistent with earlier reports from the OAIC.
Data breaches resulting from human error continue to be the second largest cause of notified data breaches accounting for 34% of all breaches. The leading cause of data breaches attributed to human error is sending personal information to the wrong recipient via email. As in previous reporting periods, this statistic is a reminder to mitigate the risk of human error resulting in data breaches through regular training of staff who handle personal information and nurturing a privacy culture within the organisation.
1. Don’t delay: Rapid identification, assessment and notification is critical
The report provides interesting analysis of the time organisations take to assess and notify following a data breach. While 77% identified the data breach within 30 days, in 47 instances the reporting entity took between 61 and 365 days to become aware that a data breach had occurred, and 14 took more than a year.
The OAIC confirms that a delay in the identification, assessment and reporting of a data breach may trigger the OAIC to question the reporting organisation's broader compliance with the Privacy Act. In particular, the organisation's obligations with respect to data security and to have practices, systems and procedures in place to ensure compliance with the Australian Privacy Principles. . The OAIC does not go further in the report to say that a delay may trigger an own-motion investigation, but it would be prudent to see the report as putting organisations and agencies on notice: rapid identification, assessment and notification is critical in a data breach and a failure to do so (or to be able to do so) may indicate a bigger problem with the organisation's or agency's privacy management framework.
2. Data mapping and data security is fundamental to mitigating risk of data breach
The OAIC notes the trend in ransomware attacks for the attackers to export or exfiltrate data from a network before (and in addition to) encrypting the data on the target network. (Generally, where there is a ransomware attack, the organisation undertakes investigations as to whether there has also been unauthorised access to and/or export of data in order to assess whether an eligible data breach has occurred.)
In light of the evidence that data exfiltration is increasingly a "default function of ransomware attacks", the OAIC's view is that organisations may now have grounds to suspect that a ransomware attack constitutes an eligible data breach at the time they become aware of the ransomware attack (rather than waiting for evidence of access to or export of data). This is critical from a timing perspective: any delay in the organisation suspecting and reporting a data breach could increase the likelihood of serious harm to the affected individuals.
In the media release accompanying the report, Privacy Commissioner Angelene Falk states that this trend in ransomware attacks also "highlights the need for organisations to have a clear understanding of how and where personal information is stored on their network, and to consider additional measures such as network segmentation, robust access controls and encryption.
3. OAIC provides example of a best practice notification
For the first time, the report includes an example of best practice notification to individuals affected by the data breach. The example is of a data breach that involved the financial, contact, identity details and Tax File Numbers of over 1,000 people. The guidance is that the notification should include the following (much of which would already need to be included under the OAIC's guide to managing data breaches, but the example provides some additional incident-specific content. The aim of the notification to affected individuals is to promptly provide information about the data breach and, as provided in this best practice example, practical advice to help affected individuals take action to reduce the risk of harm as a result of the data breach):
- a comprehensive summary of the data breach and what the entity did to contain and remediate the breach.
- an itemised summary of all the types of personal information exposed in the data breach.
- a number of practical steps that those affected should take in response to the breach, including:
- guidance on best practice in relation to the use of email and cyber security practices tailored to reflect the heightened risk of targeted spear phishing or fraudulent approaches to individuals affected by the breach;
- specific advice on steps individuals could take to reduce the risk of unauthorised access to bank accounts, credit cards and superannuation accounts;
- recommendations on options for placing credit bans on credit files; and
- advice on how to contact Australian Government agencies about breaches of identity information such as Medicare number and TFN.
The OAIC may also direct an organisation to re-issue notifications that fall-short of the required standard. Given the potential reputational damage (or at best, embarrassment and inconvenience) that comes with notification of a data breach, notifications should now be checked against this "best practice" example, as well as the OAIC's guide to managing data breaches.
Keep privacy-safe in the time of COVID-19
While the OAIC does not attribute the slight increase in data breach notifications in May 2020 to changed business practices in response to COVID-19, there is no relief from privacy compliance and notification of data breaches during the pandemic and recovery period.
The report and commentary from the Privacy Commissioner is a timely reminder for organisations and agencies to continuously review the privacy impacts of any business practices changed in response to COVID-19 and through recovery, and assess and address any associated privacy risks. To help with this, the OAIC has released useful guidance on privacy practices in response to COVID-19.