As data breaches continue to rise, the importance of robust governance to align and improve integrated cybersecurity, technology procurement, privacy compliance, and information lifecycle management becomes critical. Recently released reports by the Office of the Australian Information Commission and the New South Wales Information Commission reveal the high percentage of data breaches caused by human error, third-party supplier risks, and a significant rise in Australian Government data breaches, particularly those involving social engineering or impersonation. This article highlights the trends and recommendations to mitigate these risks, together with how robust information governance works to align policies, processes, people and technology across organisational silos to reduce data breaches and to ensure timely responses to data incidents and data breach notification.
OAIC Notifiable Data Breaches Report: January to June 2024
In a media release accompanying the Notifiable Data Breaches Report (OAIC Report) on 16 September 2024, Australian Privacy Commissioner Carly Kind said, ‘the high number of data breaches is evidence of the significant threats to Australian’s privacy.[1] The reporting period included the MediSecure data breach notification affecting nearly 13 million Australians. The Information Commissioner filed civil penalty proceedings in the Federal Court against Medibank arising from its October 2022 data breach and Australian Clinical Labs Limited from its February 2022 data breach. The OAIC has also opened an investigation into the 2023 HWL Ebsworth Lawyers data breach.
The top five sectors in the reporting period that notified of data breaches were:
- Health service providers (19%)
- The Australian Government (12%)
- Finance (11%)
- Education (0.8%), and
- Retail (0.6%).
OAIC Report: Key Themes and Recommendations
While malicious and criminal attacks remain the primary source of breaches (67%), the report reveals that 47% of all data breaches were due to people’s actions within the organisation. The OAIC’s Report identifies key themes and makes recommendations as follows:[2]
- Addressing the Human factor (47% of all breaches) – organisations need to mitigate the potential for individuals to intentionally or inadvertently contribute to data breaches. This includes training on secure information handling, keeping staff up to date on the latest techniques to detect phishing attempts, and minimising access to personal information for those staff who require it to carry out their work.
- Mitigating cyber threats (38% of all breaches) – organisations need to have appropriate and proactive measures in place to mitigate cyber threats and protect the personal information they hold. These include multi-factor authentication, enforcing password management policies for strong passwords, layer security controls, regularly monitoring user access permissions and removing access privileges when no longer required, and implementing robust security monitoring processes to detect, respond to and report incidents promptly. Read more at The Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC) and implementing the Essential Eight.
- Extended supply chain risks – this ‘continues to be a prevalent issue’ and compromises within a supply chain included the MediSecure and Outabox incidents. Guidance to managing third-party providers and supply chain risks includes implementing a strong supplier risk management framework with more robust security measures, and that entities consider the risks of outsourcing personal information at the earliest stage of procurement. Read more at the OAIC’s Guide to securing personal information.
- Misconfiguration of cloud-based data holdings – organisations need to be aware there is a shared responsibility for the security of data in the cloud. The Report states that ‘[t]he OAIC observed various data breaches where an entity misconfigured security settings due to human error, leaving the personal information it held vulnerable to unauthorised access or inadvertent public disclosure.’ The ACSC has guidance on cloud security, including a Blueprint for Secure Cloud. Cloud service providers guidance: Microsoft: Shared responsibility in the cloud; Amazon Web Services: Shared Responsibility Model; and Google: Shared responsibilities and shared fate on Google Cloud.
- Relevance of a threat actor’s motivation in assessing a data breach – the OAIC observed an increase where an entity relied on its perception of a threat actor’s motivation in assessing a suspected eligible data breach. The Report says entities should not rely on assumptions and should weigh in favour of notifying the OAIC and affected individuals when a breach occurs.
- Data breaches in the Australian Government – the Australian Government reported the most data breaches involving social engineering or impersonation (42% of all breaches within this category). These breaches experienced by agencies typically involved a threat actor impersonating a customer and gaining access to their customer account by using legitimate identity credentials that bypassed the agency’s identity verification procedures. The Report states that ‘[e]ntities should have processes in place to identify users and have access control measures in place to ensure only authorised persons access their systems.’ [3]
The number of data breaches reported to the OAIC increased from 38 in the previous reporting period to 63 in this reporting period, with the Australian Government moving from fifth position to the second highest data breaches of all industry sectors.
IPC NSW Data Breach Report – Nov 2023 to June 2024
The first Mandatory Notification of Data Breach Scheme Trends Report (IPC Report) was released on 1 October by the Information and Privacy Commission NSW following the commencement of the Mandatory Notification of Data Breach Scheme (MNDB Scheme) on 28 November 2023. The Scheme applies to New South Wales public sector agencies and includes Local Governments and Universities enacted under New South Wales legislation.
IPC Report: Key Themes and Recommendations
This IPC Report identifies several key themes and provides the following recommendations:[4]
- Notifications are gradually increasing – it is recommended that agencies take the opportunity to review the effectiveness of their policies and procedures for assessing data breaches.
- Cyber security uplift should be a focus for all sectors – leaders across the sectors are strongly encouraged to engage with the risks arising from cyber security. This requires investment to uplift ICT security and staff capability, which are key to improving the safety and security of personal information held by agencies. While the NSW Cyber Security Policy is not mandatory for the Local Government or University sectors, its adoption is recommended to build a foundation of strong cyber security practice.
- Data breach readiness – being prepared and ready to respond to a data breach is key to limiting harm to affected individuals. A comprehensive data breach policy provides staff with a clear plan to follow that will enable the agency to manage a data breach in a timely manner, swiftly notify affected individuals, mitigate the effort and expense an agency will need to remediate the incident, and meet its compliance obligations under the MNDB Scheme. The Report recommends that agencies regularly review their data breach policy and privacy management plan to ensure they remain current and responsive to changes in the agency’s functions or structure, and the changing ways agencies deliver services. They should also be reviewed post-incident and responsive to any lessons learned.
- Delegations – to facilitate a timely response to data breaches, make sure that appropriate delegations are in place so that the right people have the authority to act and make decisions quickly. Delegations should be to officers at the appropriate level of seniority and with the necessary expertise to respond to a data breach in compliance with the Privacy and Personal Information Protection Act 1998 (PPIP Act).This means that at a minimum, these officers will need to understand and apply the legislation and statutory guidelines.
- Effective notifications – effective notifications should provide all the information required under section 59O of the PPIP Act, be written in plain English and provide clear instructions for recommended steps the individual can take or the services that may be contacted for assistance.
- Provision of assistance – where a data breach impacts a large number of individuals or involves particularly sensitive personal information, a dedicated webpage or support line should be established to provide affected individuals with a centralised contact point to seek further information about the breach, ask questions about the recommended actions made in the notification, or seek support to reduce harm arising from the breach.
- Contracted service providers – a small number of breaches notified by agencies in the reporting period involved private sector entities performing services under contract to an agency. To facilitate prompt assessment of breaches involving contracted service providers, data breach policies, data breach response plans and service contracts must adequately address all arrangements necessary in the event of a data breach, including those involving a service provider. This should include providing access to all the information necessary for the agency to assess harm, determining which entity will undertake notification and any other matters relevant to responding to, and managing, a data breach. ‘Chain of contracts’ scenarios are common where agencies are providing complex services which involve numerous service providers. The Privacy Commissioner has issued guidance to help agencies understand their obligations in these circumstances.
The IPC Report also provides a concise one-page summary of Good Practice Tips – Responding to breaches and reducing harm to affected individuals.[5]
The Role of Information Governance in Reducing Data Breach Risks
The coordinating mechanism of Information Governance enables key data breach risks to be reduced through robust information lifecycle management and data disposal. This improves collaboration across the organisation to minimise human error, reduce third-party risks, and better prepare for and respond to data breaches.
The nexus between Cybersecurity and Information Lifecycle Management
Information lifecycle management (ILM) is the system by which an organisation controls the collection and generation of data, storage, use and disposal and archiving of data and information. As the OAIC report states: ‘[u]ltimately, effective cyber security practices also require entities to practice ‘privacy by design’ across the information lifecycle, including the collection, retention, use, disclosure and destruction of personal information.’[6] Achieving a program where there is ongoing disposal of personal information in accordance with privacy and legal requirements can be very challenging. There can be resistance to change when attempting to balance the tension between various business processes wishing to retain data (e.g., marketing and business development) and following best practices for privacy and regulatory requirements for data minimisation. There can also be difficulties in actioning disposal due to a lack of decision-making authority, accountability, and inadequate auditing.
Data Minimisation, Data Security and Information Governance
Australian Privacy Principle APP 11.2 states an organisation ‘must take reasonable steps to destroy or de-identify information it no longer needs for any purpose for which the information may be used or disclosed under the APPs.’ Reasonable steps include both technical and organisational measures. Guidance on technical and organisations measures is provided in OAIC’s Guide to securing personal information. The guidance points out that governance, accountability and lines of authority for decisions regarding personal information security need to be clear. Even where these are clear, ongoing disposal and data minimisation may still be challenging. Typically, in larger organisations, there are a number of different areas handling different aspects of data and information across separate organisational areas, as shown in the InfoGovANZ model below.
The issue is how to embed privacy governance into enterprise-wide information management to meet organisational strategic objectives, which focus on innovation through data-driven technologies and the need to meet legal obligations, including privacy, cybersecurity and record-keeping obligations. This is where the information governance can help. An essential component is the information governance committee, which has representatives from relevant areas (e.g., legal, privacy, records, technology systems, and data owners). The information governance committee can prioritise data and information projects, such as data minimisation or data disposal projects, make decisions and recommendations to the risk committee.
For Australian Government agencies, information governance is part of the Building Trust in the Public Record: managing information and data for government and community policy (Building Trust in the Public Record Policy). The Policy recommends that agencies review and update their information governance framework to incorporate enterprise-wide information management for records, information and data (see more here).
The Human Factor: a critical key to reducing data breach risk
While malicious and criminal attacks remain the primary source of breaches (67%) notified to OAIC, a deeper analysis reveals that 47% of all data breaches were due to people’s actions within the organisation. The OAIC Report provides that while 30% of data breaches were due to human error, a further 12% were due to clicking on malicious links or downloading a compromised attachment, and 5% were due to a rogue employee or insider threat. Reducing human error and taking steps to reduce risks around insider threats, along with robust information lifecycle management and training, are key ways organisations can reduce the risk of and prevent data breaches.
With regular reminders from media coverage of high-profile cyberattacks, ransomware demands and data breaches, from a corporate governance perspective, the primary focus is often on the external cyber risks and ensuring that IT and cybersecurity are adequately resourced to withstand relentless malicious cyber-attacks on the organisation. However, as the OAIC Reports have consistently shown since 2018, around one-third of all data breaches are caused by human error. If clicking on phishing links (recorded in the malicious attacks category) is added to the human error category, then staff (and contractors) errors are a key cause of data breaches, arguably more than half of all data breaches.
The IPC Report reveals that, close to 79% of all notifications made in the three main sectors – government, local government and universities – were caused by human error.[7] Acting Privacy Commissioner Sonia Minutillo said, ‘The high frequency of notifications caused by human error reinforces that agencies must embed robust privacy practices into the design of their systems and processes of work, particularly with the use of email. An agency’s staff can be its most valuable asset for ensuring that personal information is safely and securely handled. This relies on the agency creating a pro-privacy culture where all staff have an appreciation of their role and an understanding of their obligation to protect the personal information the agency holds.’[8] Building a pro-privacy and data protection culture is key to privacy compliance.
The antithesis of a data protection and privacy culture is the malicious insider who can access and misuse the organisation’s information. The OAIC Report provides an example of a health service provider becoming aware of a data breach in which a former employee, over a period of 2 years, accessed over 20,000 individuals in its customer relationship management system and disclosed personal information without authorisation. The Report says, ‘the employee disclosed the personal information to an external party for financial gain, via a work email and personal social media accounts, using their work-issued laptop.’[9] As a result of the incident, the Report states, ‘the entity implemented additional monitoring capabilities to flag high volume record searches and access by staff, large copying and pasting of data, and uploading of files to social media websites and external web services.’[10] This is an example where technology can be used to flag discrepancies. However, resources are then required to review flagged discrepancies and prompt action taken if there has been a failure to comply with user access policies.
The IPC has a comprehensive Privacy Governance Framework, which includes a high-level overview of the roles and responsibilities for effective privacy implementation. The OAIC’s Guide to Securing Personal Information includes a section on ‘personnel security and training.’ In addition to implementing the guidelines from OAIC and the IPC, it is recommended that robust information governance, which connects some of the typically siloed training, can help build a culture of data protection and information as an organisational asset. That is, reframing cybersecurity training as ‘information security and protection’ and incorporating information and cyber security, safe data practices, and compliance with record-keeping obligations, to emphasise the role and responsibility of everyone within the organisation for protecting data and building information as a valuable asset.
The Role of Governance and Delegations
The latest reports have also shone a light on the importance of the delegations framework, the data breach response plan and co-ordination between areas within the organisation to ensure privacy regulatory notification requirements are met in a timely way. As referred to above, the IPC Report identified that organisations need to ensure that ‘appropriate delegations are in place so that the right people have the authority to act and make decisions quickly.’[11] The OAIC Report provides that, ‘the Australian Government continues to have the largest proportion (87%) of notifications identified over 30 days after it occurred and further delay in escalating it to the responsible area for responding to the data breach and notifying the OAIC.’[12]
These latest responses indicate a disconnect between those at the initial ‘coal face’ of detecting a data breach, which is usually the area responsible for cybersecurity or the business area, and a delay in communicating the incident to privacy and legal. Building data and information relationships across areas, including cybersecurity, business areas, privacy and legal, can help improve data breach response. Building relationships through ongoing collaboration for data protection and information governance should also help when responding to a data breach. While all organisations should have robust data breach response plans in place – see OAIC’s Data Breach Preparation and Response and IPCs Guide – Mandatory Notification of Data Breach Scheme: Guide to Preparing a Data Breach Policy, the information governance committee can be involved in post data breach analysis to help identify and oversee implementation of measures to reduce future data breach risks. For example, IPC’s Fact Sheet – How to calculate the estimated cost of a data breach provides a valuable tool to examine data breach costs and identify ways and measures that can be implemented and overseen by privacy and an information governance committee.
Key Points
- Data breach notifications are increasing.
- Privacy regulatory activity and enforcement action is increasing.
- The OAIC and IPC’s latest reports set out case scenarios to provide guidance to help organisations comply. These can be used to discuss and identify risks and implement the necessary steps to reduce them and improve data security.
- Managing personal information across the organisation requires ongoing collaboration, expertise (in systems, data, and regulatory compliance), decision-making and accountability.
- Privacy compliance can be improved by a robust information governance framework that aligns policies, people, and technology and through an information governance committee, particularly in relation to ongoing information lifecycle management.
- Robust enterprise-wide information governance helps integrate privacy, cybersecurity, records, and information management, to reduce risks and build a culture where information is protected and valued as an asset.
Sibenco offers bespoke workshops for organisations, bringing together key stakeholders to improve information governance for information lifecycle management, enabling data-driven innovation and privacy and cybersecurity compliance. For more information get in touch here.
Author: Dr Susan Bennett PhD, LLM(Hons), MBA, FGIA, FIP, CIPP/E, CIPT
Principal Sibenco Legal & Advisory, Governance and Privacy Lawyer
Footnotes
[1] OAIC, Media Release, 16 September 2024.
[2] OAIC, Notifiable Data Breaches Report: January to June 2024 (OAIC Report), 16 September 2024, 9.
[3] Ibid 21.
[4] IPC, Mandatory Notification of Data Breach Scheme Trends Report 1 October 2024 (IPC Report) 6-8.
[5] Ibid 13.
[6] OAIC Report, 11.
[7] IPC Report, 14.
[8] IPC Media Release, 1 October 2024.
[9] OAIC Report, 14.
[10] Ibid.
[11] IPC Report, 7.
[12] Ibid 20.