By Peter Jones, Nicholas Boyle and Claire Kermond.

The Office of the Australian Information Commissioner (the OAIC) has released its second Quarterly Statistics Report on the mandatory notifiable data breaches scheme. There were 242 total data breaches reported in the last quarter – a marked increase from the 63 data breaches reported in the first quarter report of the regime (even allowing for the fact that the initial report included only six weeks of data). This brings the total number of data breaches reported to 305 since the commencement of the scheme on 22 February 2018.

Interestingly, the source of data breaches is now predominately malicious or criminal in nature (59%), rather than caused by human error as was the case in the previous quarter. The main source of breaches that were malicious or criminal in nature stemmed from cyber incidents (i.e. phishing, hacking, malware etc) rather than rogue employees. This indicates that privacy-by-design should be a key focus for organisations when looking to ensure they have strong information security and processes in place to combat malicious or criminal attacks of this nature. Policies detailing organisational response to such incidents should also be established to ensure quick containment and mitigation of the impact of any attack.

Human error is still a large contributor to data breaches (36%), which indicates that Australian organisations should also continue to focus on mandatory, regular training to ensure personnel are familiar with privacy requirements and appropriate handling of personal information. Systems that enable deferred sending, in addition to training, might also be an appropriate measure given that the OAIC has indicated that many breaches caused by human error stemmed from personal information being sent in error to the wrong recipient via email or mail.

We will continue to monitor developments from the OAIC in this space, and will keep you updated. For a quick refresh on the scheme and its scope, please see our earlier publications.