The Office of the Australian Information Commissioner (OAIC) released its latest Notifiable Data Breaches Report, revealing a concerning uptick in data breaches across the nation.
In the first half of 2024, 527 data breaches were reported to the regulator, marking the highest number since the latter half of 2020 and a nine per cent increase over the previous six months.
Privacy commissioner Carly Kind is alarmed at the findings.
"Almost every day, my office is notified of data breaches where Australians are at likely risk of serious harm," Kind said
"This harm can range from an increase in scams and the risk of identity theft to emotional distress and even physical harm," she added.
The report highlights a significant gap between current privacy and security measures and the evolving threats to personal information.
Commissioner Kind emphasised the urgent need to address this disparity, calling it a "priority" for organisations handling sensitive data.
Perhaps the most startling revelation was the MediSecure data breach, which affected approximately 12.9 million Australians.
That incident stands as the largest breach in terms of individuals affected since the implementation of the Notifiable Data Breaches scheme.
Consistent with previous reports, malicious and criminal attacks remained the primary source of breaches, accounting for 67 per cent of all incidents.
Cyber security incidents made up 57 per cent of these attacks, underscoring the persistent and sophisticated nature of digital threats.
The health sector and the Australian Government emerged as the most vulnerable, collectively responsible for 31 per cent of all reported breaches.
This statistic serves as a stark reminder that both private and public sectors face significant challenges in safeguarding personal information.
Commissioner Kind noted that six years after the launch of the Notifiable Data Breaches scheme, the OAIC's expectations of organisations have considerably increased.
"The Notifiable Data Breaches scheme is now mature, and we are moving into a new era in which our expectations of entities are higher," she said.
Recent enforcement actions against high-profile organisations like Medibank and Australian Clinical Labs underscore the OAIC's commitment to holding entities accountable for data security failures.
These actions aim to send a clear message about the importance of robust data protection measures and adherence to reporting requirements in the event of a breach.
While the OAIC maintains a proportionate approach to enforcement, it also recognises the need for guidance to help organisations meet their obligations.
The latest report reflects changes aimed at providing clearer direction on compliance expectations.
"Our priority is ensuring compliance with the law, and we will help organisations achieve this through education and articulating what 'good' looks like," Commissioner Kind explained.
The release of this report coincides with the Australian Government's introduction of the Privacy and Other Legislation Amendment Bill 2024.
This proposed legislation aims to strengthen the OAIC's enforcement capabilities, including an enhanced civil penalty regime and infringement notice powers.
Significantly, the bill would amend Australian Privacy Principle 11 to explicitly require organisations to implement technical and organisational measures to address information security risks.
These measures include data encryption, securing access to systems and premises, and conducting staff training.
While the OAIC has welcomed these proposed changes as an important step towards strengthening Australia's privacy framework, Commissioner Kind believes further reform is necessary.
She advocates for additional measures consistent with the Australian Government's response to the Privacy Act Review to improve security across the economy and enhance the Notifiable Data Breaches scheme.
"We would like to see all Australian organisations be required to build the highest levels of security into their operations to protect Australians' personal information to the maximum extent possible," Commissioner Kind stated.
The OAIC's report is a crucial resource for organisations and the public to understand the privacy risks identified through the Notifiable Data Breaches scheme.
It defines an eligible (notifiable) data breach as an incident where personal information has been lost, accessed, or disclosed without authorisation, likely resulting in serious harm to one or more individuals, and where the organisation has been unable to prevent this harm through remedial action.
Under the Privacy Act, organisations are required to conduct a data breach assessment within 30 days of becoming aware of potential eligible data breaches.
Once a reasonable belief of an eligible data breach is formed, affected individuals and the OAIC must be notified as soon as practicable.
The current Australian Privacy Principle 11 mandates that organisations take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification, or disclosure.
It also requires the destruction or de-identification of information when it is no longer needed.
To support organisations in meeting these obligations, the OAIC has published comprehensive guidance on securing personal information and data breach preparation and response.
Additionally, the office provides advice for individuals on how to respond to data breach notifications, emphasising the importance of public awareness and preparedness in the face of increasing digital threats.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
