As data breach notifications rise, so does organisation accountability: OAIC

As data breach notifications rise, so does organisation accountability: OAIC

Malicious or criminal attacks remain the leading source of breaches followed by human error.

Credit: Dreamstime

Organisations need to put accountability at the centre of their information handling according to the Office of the Australian Information Commissioner (OAIC) after data breach notifications rose 6 per cent to 464 in the six months to December 2021. 

Malicious or criminal attacks remain the leading source of breaches, accounting for 256 notifications (55 per cent of the total), down 9 per cent in number from 281 in the same period last year, according to the OAIC's Notifiable Data Breaches Report: July - December 2021. 

Breaches due to human error increased 43 per cent to 190, after a dip in the previous period.

The health sector remains the highest reporting industry sector to the OAIC, which notified 18 per cent of all breaches, followed by finance at 12 per cent.

Falk said the OAIC expects organisations to have strong accountability measures in place to prevent and manage data breaches in line with legal requirements and community expectations.

“The [Notifiable Data Breaches] scheme is now mature and we expect organisations to have accountability measures in place to ensure full compliance with its requirements,” she said.

“If organisations wish to build trust with customers, then it is essential they use best practice to minimise data breaches and, when they do occur, they put individuals at the centre of their response.”

This is the fourth year running of the report and the OAIC said it was still finding that some organisations are falling short of the scheme’s assessment and notification requirements, which delays an individual’s opportunity to protect themselves. 

The OAIC expects organisations to treat 30 days as a maximum time limit for an assessment of a data breach and to aim to complete the assessment in a much shorter time frame.

A notable proportion of organisations that experienced system faults, at 11 per cent, did not become aware of the incident breach for over a year, while 28 organisations took longer than 120 days from when they became aware of an incident to notify the OAIC.

“A key objective of the scheme is to protect individuals by enabling them to respond quickly to a data breach to minimise the risk of harm,” Falk said.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags notification lawsOffice of the Australian Information CommissionerOAIC

Show Comments