Source: Office of the Privacy Commissioner
This year make your new year’s resolution to be across your privacy obligations.
There has been a notable increase in data breaches reported to the Office of the Privacy Commissioner, prompting a reminder to agencies and businesses that they must protect the data of the public they hold.
Privacy Commissioner Michael Webster is encouraging agencies to understand that breaches can happen to anyone; there is no room for complacency.
And when breaches happen it is important that those in charge of an organisation take a people centric approach. That means putting the welfare of the people whose data may be exposed – the public and their own staff – first if they suspect their organisation has been targeted by a hack or has inadvertently been breached.
Comparing the first half of the current financial year to the same time period of the previous financial year, there has been a 41% increase in privacy breach notifications which meet the serious harm threshold (207 v 147).
Number of serious privacy breaches by financial quarter
The industries reporting most serious breaches are (in this order): Health Care & Social Assistance, Public Administration & Safety, Services (Professional, Scientific, Technical, Administrative and Support Services), Education & Training, Finance & Insurance.
There is also a slight increase in the percentage of serious breaches caused by malicious activity; however, the majority of breaches are caused by human error.
Cause: Intentional or malicious activity – Number of serious privacy breaches reported to OPC in 2022
As for serious privacy breaches caused by human error the most common types of breach are email error and unauthorised sharing. The most common type associated with serious breaches caused by malicious activity is unauthorised access. This includes phishing attacks, email system high-jacking for spam or fraud, and installing malware including ransomware. These malicious attacks can impact on the privacy of thousands of people.
For example, the ransomware attack on Mercury IT breach in December is only logged as one breach but several agencies reported suffering breaches from that one attack.
When agencies experience ransomware attacks relating to personal information, we recommend they, at least initially, treat these breaches as having the potential to cause serious harm, given the malicious intent of the attackers and the uncertainty associated with events like these. This means that they should be notified to the OPC.
By far the most common type of harm associated with serious privacy breaches is emotional harm – more than a third of all serious breaches reported to our Office involve this type of harm. Other common types of harm include reputational harm, identity theft and financial harm.
Mr Webster says that means reaching out and reporting a suspected breach to the OPC as soon as possible.
“Report it. Report the breach as early as possible. Notifiable privacy breaches should be reported within 72 hours of the breach being identified. We will work with you as you go through a triage response and help guide you to bring your agency through a crisis.
Mr Webster says it is important agencies and departments prioritise the victims of a breach first as they work to understand the extent of any attack.
“That means letting this Office know. We are the regulator, and we are here to help support and educate where appropriate. Sharing the learning from these incidents is one way we can help prevent or limit the impact of future cases.
Mr Webster noted that since the introduction of the Privacy Act 2020, there had been an improvement in the time lines and standard of reporting on data breaches. But agencies needed to keep a focus on improving privacy practice, especially in the digital environment where the threats to data are rapidly evolving.
There are 13 principles of the Privacy Act every organisation that handles people’s data should make themselves familiar with.
“It is not quite 12 days of Christmas, but it is 13 principles designed to help you navigate this incredibly fast changing and demanding environment. Agencies need to be aware that privacy is important and worth protecting.”