Many readers will be aware that the mandatory data breach reporting requirements in Australia have been in operation since February of 2018. In September last year Holman Webb reported on the statistics provided by the Office of the Australian Information Commissioner relating to the quarter ending July 2018.
So, how are things looking 18 months into the operation of the mandatory reporting regime?
The statistics show that:
- There have been over 1,270 notifications;
- Only 4% arise from systems errors;
- 36% of breaches arise from human error (including misdirected emails, wrongfully copying in people to emails, paperwork being lost, insecure disposal of personal information and loss of devices on which data is stored);
- 25% relate to the disclosure of information relating to one person only; and
- With respect to cyber incidents:
- 36% arise from phishing emails
- 29% from stolen or improperly used access details
- 7% from Malware
- 7% from Ransomware
- 9% for brute force attacks.
The lesson to take from the above is that your staff are still key when it comes to data security. If we broaden the definition of staff conduct to include wrongfully opening phishing emails, and allowing the release of their passwords and other access information, then the reality is that at least 50% of all breaches arise from staff conduct.
For those wanting to ascertain whether there are any trends, the raw statistics per quarter are:
Attributes and Results of Security Breaches
|QT Ended||Number of Notifications||Human
|Fault in IT Person ONLY (%)||Affecting 1 person ONLY (%)||Release or Access of Contact Info (%)||Release or Access of Financial Info (%)||Release of Access to Health Info (%)|
Specified Human Error
|QT Ended||Data Emailed, Mailed, or Faxed to Wrong Recipient (#)||Emails in which sender failed to use BCC (#)||Loss of paperwork, insecure disposal, or loss of storage device (#)|
|QT Ended||Phishing Emails (%)||Ransomware (%)||Malware (%)||Brute Force Attacks (%)||Via Stolen or Compromised Credentials (%)|
Top 5 Industries Affected by Breaches (# of Notifications)
|QT Ended||Health Service Providers||Finance||Legal/Accounting and Management||Education||Business and Professional Associations|
If you have a query relating to any of the statistics in this article, or you would like to speak with a member of Holman Webb’s Technology Law team in relation to your organisation’s mandatory data breach reporting requirements, please don’t hesitate to get in touch today.