Login or request a free trial

Slow data breach notifications a concern, says OAIC

A significant number of entities reporting data breaches to the Office of the Australian Information Commissioner last year took more than 120 days from when they became aware of the incident to when they reported it.

This is one of the findings of the OAIC’s latest Notifiable Data Breach Report, which covers the period from July to December last year.

The OAIC said an objective of the reporting scheme is to protect individuals by enabling them to respond quickly to a data breach to reduce the risk of harm.

It said that 75 per cent of entities with a notifiable breach reported within 30 days but it is concerned that 28 of the 464 entities that issued notifications took longer than 120 days.

The Privacy Act requires an entity to take all reasonable steps to complete its assessment of whether an incident amount to an eligible breach within 30 days and notify the OAIC and affected individuals and soon as practicable after confirming there are reasonable grounds to believe an eligible data breach occurred.

The OAIC said: “As the risk of serious harm to individuals increases with time, the OAIC expects that where possible entities treat 30 days as a maximum time limit and try to complete the assessment in a much shorter timeframe.”

The 464 notifications during the six-month period represented a 6 per cent increase, compared with the first half of 2021.

Health services providers were the biggest group in the sample, accounting for 18 per cent of notifications. Financial services companies were second, account for 12 per cent, and legal, accounting and management services businesses were third.

More than half of the breaches (55 per cent) were the result of malicious or criminal attack, 41 per cent were due to human error and 4 per cent to system faults. Human error covers such things as unintended disclosure, failure to use BCC when emailing, information sent to the wrong recipient and loss of data.

Contact information, identity information and financial details were the most common types of personal information involved in data breaches, which is consistent with previous reports.

More than half of the breaches (52 per cent) affected between one and 10 people, and in 71 per cent of notifications fewer than 100 people were affected.

One case involved between one and 10 million people, and 12 cases affected more than 10,000 people.

I'm a returning subscriber

Password reset
Login

Request a free trial

  • Emailing you the news at 7am.
  • Covering core lending and funding issues, strategy, payments, regulation, risk management, IT, marketing and more.
  • Original news and summaries of major stories from other media – ditch your newspaper subscriptions.
  • Focused on banking and finance, saving you the time spent wading through newspapers and other services.
  • With reporting from former editors and senior writers from the AFR and The Australian.
  • Configured for your phone, laptop and PC.
Free trial Banking Day