Data breaches surge, privacy bill introduced
Much has happened this month, with the release of new statistics from the Office of the Australian Information Commissioner (OAIC) and guidance on AML/CTF obligations when outsourcing. This edition of the Compliance Radar also covers the surprisingly limited scope of the Privacy Amendment Bill introduced to parliament.
OAIC calls for vigilance against cyberattack
New statistics from the OAIC show a troubling surge in data breach notifications during the first half of 2024. These are the highest figures in nearly four years.
The OAIC defines a data breach as any loss, unauthorised access to or disclosure of personal information. For companies, a breach can result in loss of revenue, customers and reputation, along with excessive fees or fines.
Cybersecurity attacks such as phishing or malware remain the leading cause of data breaches, accounting for 38% of all reported cases. This underlines the importance of robust cybersecurity systems, processes and training. The OAIC specifically encourages using tools like multi-factor authentication, enforced password management, layered security controls and active security monitoring.
Snapshot of OAIC Report
From January to June this year, the OAIC received 527 data breach notifications, an increase of 9% since the previous six months. The top five sectors to notify data breaches are:
- Health service providers
- Australian Government
- Finance (including superannuation)
- Education
- Retail
While 63% of data breaches affected 100 people or fewer, one incident reported affected over 10 million Australians.
Sources of data breaches include:
- 67%, malicious or criminal attack
- 30% human error
- 3% system fault
In regards to human error breaches, the top causes were:
- 38%, PI sent to wrong recipient (email)
- 24%, unauthorised disclosure (unintended release or publication)
- 10%, failure to use BCC when sending email
It is no longer acceptable for privacy to be an afterthought; entities need to be taking a privacy-centric approach in everything they do.
The Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC) recommends entities implement the Essential Eight, a set of baseline controls and security measures developed to help entities protect their internet-connected enterprise information technology systems and data holdings from cyber threats. LAB summarised the Essential Eight in our September Compliance Radar here https://labgroup.com.au/compliance-radar-september-2024/
Privacy Amendment Bill a good first step
Last month, the Australian government introduced the much-anticipated Privacy and Other Legislation Amendment Bill 2024.
If passed, the bill would reform the Privacy Act 1988 to strengthen Australia’s privacy framework. Even after an extended consultation process, the bill’s scope is more limited than expected. However, it will allow the OAIC to enforce penalties for privacy interferences and specific administrative breaches of the Act.
It also requires that the OAIC enhance privacy protections for children online, and introduces a statutory tort for serious invasions of privacy, such as doxing. The OAIC says this will help fill “gaps in the existing privacy protection framework and address current and emerging privacy risks and harms.”
AUSTRAC on outsourcing and AML/CTF obligations
AUSTRAC has released new guidance around meeting your AML/CTF obligations when outsourcing – your business will remain legally liable for any breaches.
Businesses should conduct due diligence on outsourced service providers, and then establish and actively review written agreements. You should also document procedures for managing outsourcing arrangements in your AML/CTF Program. Begin by assessing your risk here, then find your sector in AUSTRAC’s updated lists of suspicious activity indicators.
LAB’s technology is the simplest way to meet your AML/CTF obligations, whether you outsource or not. It ensures you safely handle and protect your customer data – book a demonstration.