Serious data breaches are occurring at the highest rate in the last three and a half years, according to the Office of the Australian Information Commissioner, as it awaits new enforcement powers proposed in a Privacy Act amendment bill.
The latest notifiable data breaches report, released on Monday, reveals 527 data breach notifications between January and June 2024 — a nine per cent increase on the second half of 2023.
Just days after watered-down privacy amendments entered Parliament, Privacy Commissioner Carly Kind said the number of breaches shows “privacy and security measures are not keeping up with the threats facing Australians’ personal information” .
According to the report, health sector data breach notifications made up the largest proportion of total breaches (19 per cent), followed by Commonwealth government entities (12 per cent).
Government reports were 66 per cent higher in the first half of the year (38) than in the second half of 2023 (63). Agencies also had the highest proportion of notifications (87 per cent) of data breaches identified more than 30 days since it occurred.
In line with previous reports, most data breaches were the result of malicious and criminal attacks (67 per cent). Almost half of Commonwealth government data breaches were the result of “social engineering or impersonation”.
Ms Kind said that six years on from the start of the NDB scheme, the OAIC’s expectations of entities is now “higher” and that it begun legal action against firms that have seriously interfered with the privacy of Australians.
“Our recent enforcement action, including against Medibank and Australian Clinical Labs, should send a strong message that keeping personal information secure and meeting the requirements of the scheme when a data breach occurs must be priorities for organisations,” Ms Kind said.
Proposed reforms to the Privacy Act, that entered parliament last Thursday, will give the OAIC expanded monitoring and investigation powers under the Regulatory Powers Act, as well as the ability to initiate public inquiries into privacy relating matters.
A new tiered civil penalty regime will be introduced, enabling more enforcement action since the regulator can only seek civil penalties for the most egregious interferences with privacy, according to the bill’s explanatory memorandum.
In the event of a data breach covered by the notifiable data breach scheme, the reforms would also empower the Attorney-General to permit information sharing with appropriate entities to reduce the risk of harm.
In its first NDB scheme report under Ms Kind, the regulator has modified its reporting structure to highlight recommendations on increasing privacy protections and a strategic approach to responding to data breaches.
“Our priority is ensuring compliance with the law, and we will help organisations achieve this through education and articulating what ‘good’ looks like,” Ms Kind said.
The OAIC is currently reviewing its presentation of NDB scheme statistics, “with a view to provide data for all sectors”, a spokesperson told InnovationAus.com last month.
Data on only the top five sectors is currently broken out in detail in the reports as “they generally account for a high number of notifications”, the spokesperson said, and government notifications for all reporting periods is currently only available through heavily redacted freedom of information requests.
“It would not be practical or statistically significant to include this level of detail for other sectors in the current report format given the smaller number of notifications,” the spokesperson said.
The OAIC has published reports on NDB scheme statistics since it began in 2018. This was initially done on a quarterly basis but the OAIC shifted to a six-month reporting period in the second half of 2019.
Do you know more? Contact James Riley via Email.