Agencies must take ‘proactive’ measures against rising data breach risks

The latest Notifiable Data Breaches report from the Office of the Australian Information Commissioner (OAIC) revealed a 26 per cent increase in breaches in the second half of 2022, including several large-scale ones that affected millions of Australians.

Out of 40 data breaches affecting over 5,000 Australians during the period, 33 were caused by cyber security incidents. The figures are significantly higher compared to the first half of 2022 when there were 24 reported large-scale breaches.

Overall, 70 per cent of data breaches were due to malicious or criminal attacks, with another 25 per cent caused by human error, with the top causes including sending emails to the wrong address, closely followed by unintended release or publication, and the failure to use BCC when sending emails coming in third place. 

Australian information commissioner and privacy commissioner Angelene Falk highlighted that cyber security can have significant impacts on individuals, and organisations need to be alert to the risks.

“We saw a significant increase in data breaches that impacted a larger number of Australians in the second half of 2022. 

“Cyber security incidents continue to have a significant impact on the community and were the cause of the majority of large-scale breaches,” she stated.

High-profile breaches in the second half of 2022 included Optus, which reportedly affected more than 10 million customers and Medibank, with the personal information of 9.7 million customers, former customers and their authorised representatives accessed by cyber criminals.  

In the real estate industry, Harcourts confirmed on 3 November that a Melbourne City franchisee’s rental property database had been compromised by unauthorised third-party access on 24 October.

Ms Falk urged organisations to take “appropriate and proactive steps” to protect against and respond to a range of cyber threats. 

“This starts with collecting the minimum amount of personal information required and deleting it when it is no longer needed.”

Additionally, she stressed the need for organisations to remain vigilant, as large-scale breaches of personal information may lead to further attacks, such as targeted social engineering, impersonation fraud and scams. 

“Organisations need to be on the front foot and have robust controls, such as fraud detection processes, in place to minimise the risk of further harm to individuals,” she said.

In the event that breaches occur, she reminded organisations that they need to provide information to individuals that are timely and accurate.

“As well as setting out the kinds of information breached, the notification must include recommendations about clear steps people should take in response,” she added.

Recommended changes to the Privacy Act to scrap exemptions for small businesses

Ms Falk also welcomed further proposals to strengthen the Notifiable Data Breaches scheme in the Attorney-General’s Department’s Privacy Act review report, which was initiated in response to the high-profile data breach cases in 2022. 

On 16 February, the Attorney-General’s Department released its long-awaited review of the Privacy Act, which includes 116 recommendations aimed at safeguarding businesses and consumers from escalating cyber security threats.

The report highlighted the vulnerability of Australia’s small business sector, which experiences 43 per cent of all cyber crime attacks.

Currently, businesses with an annual turnover of $3 million or less are exempt from the strictest compliance measures prescribed by the act, which include being required to protect their customers’ personal information or disclose how it is used. 

As of June 2021, nearly 2.3 million of Australia’s estimated 2.5 million businesses were exempt due to their annual turnover, the report says.

As a result, most businesses are not currently subject to the rules covering larger firms, including new fines of up to $50 million for businesses that were impacted by significant data breaches.

Following rounds of consultations with small business advocates, cyber security experts, and academics, the Attorney-General’s office raised the argument that carve-outs for small businesses should be rescinded.  

The report laid out the case for scrapping the 20-year-old exemption, which was introduced prior to businesses’ take-up of online. 

“In recognition of the increasing privacy risks posed by small businesses and the benefits of improved privacy protection for Australians and the economy, the small business exemption should be removed,” the report stated. 

Under the expanded measures, all Australian businesses must comply with the act, regardless of annual turnover.

Findings of the report showed small businesses increased their risk profile to cyber attacks merely by processing orders online, maintaining a digital presence, or using cloud computing services, the report found — even if those businesses don’t handle complex information.

It also underlined that decreasing the annual turnover threshold is not a viable solution either, with the report claiming that small businesses with small turnovers, like tech start-ups that hold the personal data of app users, can expose customers to profound harm if their data is hacked. 

However, in what can be considered a reprieve for small businesses, the report acknowledged the unique challenges faced by small businesses and the potential regulatory burden associated with complying with the act and recommended that the exemption will only be removed after steps to facilitate small business compliance have been implemented. 

The report also recognised the financial cost of such compliance, given the likelihood that small businesses will need to invest in all aspects, from staff training and document shredders to bringing privacy policies up to date. 

“To support small businesses to comply with the act, there would need to be a comprehensive package of assistance developed and implemented,” the report stated.

While those measures are developed, the report also recommended the federal government remove the exemption for small businesses that receive user consent to trade their personal information and ensure the collection of biometric data across businesses of all sizes is covered by the act. 

Interested parties have until March 31 to submit their views to the Attorney-General’s office as the federal government formulates its response to the report.