Insight,

Cybersecurity,Data,

Lessons from where you don’t want to be: Analysing the OAIC’s latest report on notifiable data breaches

06 September 2023

Our People
KWM Kinetic
Owl Advisory
AU | EN
Current site :    AU   |   EN
Australia
EN |
China
JP | ZH | EN |
China Hong Kong SAR
ZH | EN |
Japan
JP | ZH | EN |
Singapore
ZH | EN |
United States
EN |
Global
ZH | EN |

Tell me in a minute

The OAIC’s latest report on the Privacy Act’s notifiable data breach scheme reveals a declining number of notifications.  However, the OAIC remains concerned that organisations are taking too long to assess and notify data breaches and thinks that organisations should adopt a notification by default approach.

On 5 September, the OAIC released the latest of its regular reports on the Privacy Act notifiable data breach regime, covering the period from January to June 2023.

Amongst the usual melange of statistics and charts, the latest report provides some useful insights into the OAIC’s view of the data breach landscape and the way that organisations are approaching their notification obligations.  This article summarises our key takeaways.

Declining number of notifications, but beware ongoing cyber risks

Public awareness of the threat of data breaches has perhaps never been higher, given recent high-profile breaches affecting large businesses such as Optus, Medibank, Latitude and HWL Ebsworth.  However, a headline statistic from the OAIC’s report is that the number of notified data breaches was 16% lower than over the previous 6 months from July to December 2022 (though perhaps this reduction should perhaps be treated with caution, as the OAIC notes that there has been a consistent, albeit unexplained, trend towards higher notifications in the latter half of the calendar year).

One interesting aspect is that the proportionate decrease in notifications was highest for breaches caused by underlying system faults (as opposed to malicious or criminal attacks or human error).  Only 14 notified breaches were attributed to system faults during the latest reporting period, a 42% drop from the 24 that were reported in the previous period.  This could suggest that organisations are getting better at hardening their compliance systems to protect against privacy breaches.  If so, this would be an encouraging trend, as other regulators have consistently warned of the importance of ensuring strong compliance systems are in place to deal with privacy-adjacent risks.  For example, the ACMA’s latest report on spam compliance identifies system issues (such as issues in syncing different marketing databases) as a key cause of spam breaches.  To mitigate the risk of system-related spam, the ACMA recommends that organisations should:

  • Undertake thorough testing of compliance processes and controls whenever implementing system upgrades or transitioning to new systems (special attention should be paid to any “out-of-the-box” default configurations or control settings, in order to ensure they are appropriate)
  • Monitor and test automated processes and controls on a periodic basis to ensure that they are working as expected
  • Monitor system data that may help to identify an underlying system issue

This is sensible advice for any systems that are used to manage personal information.  However, reliable compliance systems only take you so far.  Significantly, over the latest reporting period, 21 of the 23 large scale breaches (i.e. those affecting over 5,000 Australians) were caused by cyber incidents, including ransomware, stolen credentials, hacking, brute-force attacks, malware, and phishing.  The OAIC calculated that on average each cyber incident notified to the OAIC during the latest reporting period affected 319,761 individuals, while incidents in the next highest category, which related to rogue employees / insider threats, affected only 845 individuals on average.  While these numbers may be skewed by a few mega-scale cyber incidents, it is still clear that the outside threat still presents by far the biggest risk of a major breach incident.  As such, organisations would be well-advised to invest in the best possible cyber security safeguards in order to mitigate this risk.  Please refer to this previous article for our latest insights on Australia’s cyber landscape, and duties that Australian entities and directors have to specifically address cyber security risks and consequences.

Organisations are expected to have mature compliance processes in place, and to act swiftly

The OAIC report notes that the notifiable data breach regime is well established, having come into effect more than 5 years ago, and that organisations should by now have established effective compliance processes.  Based on the OAIC’s commentary, it seems unlikely that the OAIC will cut organisations much slack if they are seen be too slow in investigating and assessing potential breach incidents.  In particular, the report specifically indicates a willingness for the OAIC to use new information gathering powers under section 26WU of the Privacy Act, which were introduced as part of a package of changes to strengthen the enforcement aspects of the Act in late 2022.  Those powers enable the OAIC to compel organisations to provide information about a suspected or actual data breach, even if the breach has not yet been formally notified to the OAIC.  We would not be surprised to see the OAIC actively using these powers in the next 6 months if they consider an organisation is dragging its feet.

The OAIC’s continuing concerns about timing relate both to the time taken to identify the breach (while the report shows that the vast majority of breaches are discovered within 30 days, there are still a significant number that take longer to identify, particularly those that relate to underlying system issues, which may not be immediately apparent) and also to the time taken to notify the OAIC once the breach has been identified (again while the majority of breaches are notified to the OAIC within 30 days, a significant proportion (26%) are notified outside this timeframe).  In the report, the OAIC is particularly critical of organisations that take a sequential approach to their investigation, so that the impact of a breach incident is only considered after a full forensic investigation has been completed, rather than in parallel.  The OAIC also criticises organisations that spend too long on complex technical reviews to understand exactly what occurred and who was impacted before they issue a formal notification, even though the overall severity and scale of the breach may have been readily apparent at an earlier stage.  In the OAIC’s view:

Generally, the steps in response to any data breach should be taken simultaneously or in quick succession. Entities should also consider whether all the steps are necessary, if any can be combined, or if they need to be re-ordered to ensure the most reasonable and prompt assessment outcome.

This aligns neatly with recommendations made by the Attorney General’s Department in the Privacy Act Review Report released earlier this year to the effect that the Privacy Act should be updated to allow reporting of data breaches in a staged manner, so that organisations can report a breach early and then progressively provide more detail about the breach as their investigation progresses, rather than waiting for the investigation to be completed before venturing to issue a comprehensive breach notice.  From the OAIC’s point of view, time is of the essence when it comes to breach management and notification.  The Commissioner emphasised this point in the media release accompanying the report, saying that “The longer organisations delay notification, the more the chance of harm increases.”

These comments and proposed legislative changes illustrate what a difficult position it is to be the subject of a major data breach incident, where ascertaining the precise the scale and nature of the impact of the incident will take require significant effort and time.  Organisations need to weigh up many factors, which may be finely balanced, in order to decide when the right time is to notify the OAIC and, of course, any affected individuals.  There is always the risk that rushing the process may result in over-notification, which may in turn result in needless concern and expense both for the organisation in question and its customers.  Despite this, it is perhaps hardly surprising that the OAIC is pressing for organisations to effectively adopt a notify-by-default approach.

If an entity suspects a data breach has occurred but is unable to eliminate that suspicion quickly and confidently, the entity should consider proceeding on the presumption that there has been a data breach. Notification obligations are triggered once there are reasonable grounds to believe that an eligible data breach has occurred. Conclusive or positive evidence of unauthorised access, disclosure or loss is not required for an entity to assess that an eligible data breach has occurred.

Given the objective of the scheme is to promote notification, entities’ assessments should weigh in favour of notifying the OAIC and affected individuals.

The OAIC’s report also stresses that a notifiable breach can occur simply where there has been unauthorised access to personal information on a compromised system, even if there is no evidence (or no evidence yet) of data having been exfiltrated from that system.  The report provides an example of an organisation that identified a server that had been compromised in a cyber attack.  While the organisation could identify the information that had been exfiltrated, it could not determine with certainty whether any other information may have been accessed during the incident.  In that case, the entity took a “cautious” approach and assumed that all personal information stored on the server at the time of the attack had been accessed by the threat actor, with all potentially affected customers then being notified in order to ensure that they could take steps to reduce their risk of harm.  Clearly such an approach presents a risk of significant over-notification, with some individuals potentially being notified of a breach that has not affected them at all.  Organisations will face difficult and time-pressured decisions about whether they are prepared to adopt this type of “cautious” approach.

Beware the mosaic effect

One interesting comment in the report is that recent large scale data breaches (with the latest reporting period featuring the first notified breach incident to have affected more than 10 million Australians) have elevated the likelihood of a “mosaic effect” whereby separate pieces of information can be pieced together in order to increase their usefulness for future identity-theft, fraud, or future attacks (e.g. phishing).

The report notes one example in particular whereby a company’s systems were attacked using identity credentials obtained from an attack on another entity.  The threat actors had been able to leverage that previously compromised information in order to perpetrate a fresh attack on a new entity.  In this way, major data breaches can have a cascading effect across the broader economy.

According to the mosaic effect, the more data breaches there are that result in compromised information becoming available to bad actors, whether via the dark web or other means, the greater the risk presented by future data breaches.  Following this theory through, organisations may in future need to adjust their own risk assessments in order to consider whether information that has been compromised in attack on them could be combined with information from previous attacks on other organisations in a way that would elevate the risk of serious harm to a point where a breach notification is required, even though each breach assessed in isolation may be considered low risk.  This type of risk calculation will only become more complicated as more Australians are affected by data breaches – after all, with the recent slew of major breaches, those Australians who have not yet had their information compromised in some way may already be in the minority.  The role of expert cyber security consultants in assessing overall risks of this nature is likely to become more important as the overall data breach landscape continues to evolve, and different sources of compromised data become more available to bad actors.

To combat the mosaic effect, it is critical for organisations to:

  • put in place strong system authentication and access controls so that they work effectively to reduce the risk of unauthorised intrusion even if a user’s identity credentials have been compromised in some separate attack – use of multi-factor authentication and requiring passwords to be regularly updated are two key ways of controlling this increased risk
  • ensure that their workers and customers are well informed of potential risks, including on how to identify potential phishing attacks and other scams. In particular, organisations should be looking to cultivate a security and privacy-aware culture within their staff, with regular training and clear processes for identifying and escalating potential concerns before they become real

At KWM we work closely with many organisations on the design and practical implementation of data breach response plans and, of course, on managing major data breach incidents.  Please reach out to our team if you have any questions or would like to learn more about our capability in this area.

Categories

KEY CONTACTS

SHOW MORESHOW LESS
LATEST THINKING
Insight
April Security of Payment Wrap Up across Australia
The ACMA is consulting on the new SMS Sender ID Register and associated Draft Telecommunications (SMS Sender ID Register) Industry Standard 2025.

11 April 2025

Insight
Modern Slavery - Reforms at home & abroad
In this update, we summarise key modern slavery law developments in Australia and overseas during 2024, and what changes businesses should be prepared for in the rest of the year ahead.

10 April 2025

Insight
A New Era for Development in the Northern Territory: Passing of the Territory Coordinator Act
In a move to support its ‘Rebuilding the Economy’ agenda, the Northern Territory’s Country Liberal Party has enacted new legislation in what it’s calling the Territory's "most important piece of economic reform" in a decade.

10 April 2025

EXPLORE LATEST THINKING
OUR PEOPLE
LOCATIONS
MEDIA CENTRE
CAREERS
ABOUT US
Explore Our Expertise
Explore insights
Explore Our Insights

Advertising and Targeting Cookies