Keeping data not for profit: insights and reflections on the notifiable data breaches scheme

An organisation’s ongoing capacity and commitment to ensuring and protecting the privacy of personal information it holds is now, more than ever, a key factor in that organisation’s reputation and the attitude of the public in dealing with that organisation.  In a commercial world driven by data, where allegations of hacking and interference at the highest levels and scandals regarding the misappropriation and misuse of individuals’ data are regular headlines, credibility and propriety are vital when dealing with individuals’ privacy.

Put simply, in order to be attractive in the marketplace, an organisation must have the trust of the consumer.

This is particularly so in the not-for-profit and charity sector in the age of consumer contestability where service providers, particularly care and health service providers, need to receive, use and manage highly sensitive information of their clients.

In this context, as the end of 2019 approaches, and we reflect on the year that has been and what the next year may hold, it is timely to reflect on what we can learn from the first 12 months of the existence of the Notifiable Data Breaches scheme (NDB scheme) under the Privacy Act 1988 (Cth) (Privacy Act) ^[1].

Key insights

The NDB scheme became mandatory for organisations subject to the Privacy Act in February 2018.  Prior to this, a voluntary scheme was in place.

Since that time, the Office of the Australian Information Commissioner (OAIC) has recorded the following statistics:

• 964 eligible data breaches were recorded.
• There was a 712% increase in notifications of data breaches.
• 60% of all eligible data breaches were caused by malicious or criminal attacks – this is the most common cause. The second most common reported cause was human error at 35%, followed by system fault at 5%.
• 153 breaches were the result of phishing or spear phishing – this mechanism continues to be most common and a highly effective means by which organisations are being compromised (in fact, this is the suspected means by which the Federal Parliament and other Commonwealth agencies and departments were targeted in a recent malicious attack on their systems).
• In 28% of data breaches which involved the obtaining of credentials (such as username and password), the organisation was not aware of how the third party obtained the credentials i.e. the system did not detect any phishing compromise.
• The sectors reporting the highest incidence of data breaches were finance and health. This may be reflective of the high volume of data holdings in these industries have but also may reflect that these sectors are also attuned to the process or have the ability to identify the data breaches quicker given the high level of regulation these industries already face.  It could also demonstrate that the data that organisations in these sectors hold is of greater value to third parties.  Charities which provide health care services should bear this trend in mind.
• The sources of breaches in the top 5 sectors affected by data breaches can be seen in this graph:

• The most common type of personal information that was compromised was personal contact information. This makes sense given the high number of emails and other correspondence that makes up most organisations’ day-to-day data content.  The other types of information and the incidence of data breaches can be seen in this graph:
  

• Interestingly, there were 11 multi-party notification events. In these cases, 2 or more organisations held the same personal information jointly and one organisation reported an eligible data breach.  In these circumstances, an eligible data breach of one entity is also considered an eligible data breach of any other entities that hold the same affected information.
• Generally, compliance with the NDB scheme by one entity will also be taken as compliance by each of the entities that hold the same information. Therefore, only one entity needs to take the steps required by the NDB scheme.  Which party undertakes those steps is to be determined by the parties.  However, if no entity complies with the NDB scheme, then each entity will be deemed to have breached the NDB scheme.

Lessons for not-for-profits and charities

The attitude and approach of any regulator is informative for all entities within a regulator’s purview.  In the words of the Australian Information Commissioner and Privacy Commissioner:

“The requirement to notify individuals of eligible data breaches goes to the core of what should underpin good privacy practice for any entity – transparency and accountability….The requirements under the NDB scheme incentivise entities to ensure they have reasonable steps in place to secure personal information.”

Data which not-for-profits and charities hold is not only highly sensitive, it appears from the above statistics that health information of individuals may be of high value to malicious actors and therefore more prone to outside threat.

It is important that organisations take any opportunity to understand where privacy risks lie within their operations, to address the human and cyber elements that contribute to data breaches and to prevent or minimise harm to individuals and the community.

Best practice tips

Our 6 best practice tips for organisations to mitigate against the risk of experiencing a data breach are:

1. Ensure your people are adequately trained

• All employees should be trained on how to detect and report email – based threats (such as phishing), understand basic account security (such as secure passwords and their protection) and how to protect their devices.
• Organisations should ensure that such training is extended to all people involved in the organisation, including contractors, volunteers and directors.

2. Prevention through technology and processes

• Organisations should prioritise investment in improving their overall security defence system, including ensuring there is constant, proactive monitoring of systems and if necessary, engage expert security advice
• Technologies such as multi-factor authentication systems can assist in mitigating against the risk of compromised credentials causing a chink in an organisation’s security armour

3. Prepare, rehearse and stress test

• Organisations should not only have their data breach response plans in place, but should stress test and refine the plan to ensure they can act swiftly and appropriately if the real event occurs
• Simulations also assist in highlighting deficiencies in current plans, practices and processes which may necessitate further investment or internal training

4. Pre-assess the harm

• Organisations that thoroughly understand their data holdings and how data breaches could impact their customers and clients will be best placed to assess whether a data breach can be dealt with through remedial action after a breach is discovered or whether individuals’ and OAIC must be notified.
• There is a risk that over-reporting when the threshold is not reached brings about notification fatigue and consequent inertia when there is a real and urgent requirement to act swiftly. This points to the need for a considered assessment process.

5. Post-breach communication: keep it simple

• OAIC considers transparency and simplicity as the key guiding principles in the wake of a data breach.
• Consumers respond most favourably to those organisations that communicated in clear and plain terms what has occurred and the steps consumers need to undertake to protect themselves.
• Mixed messages and poor timing (for example, issuing the notification before a weekend or public holiday) should be avoided.

6. Ensure you have a contract in place if you are sharing information

• Organisations that share personal information with others as part of their service delivery should ensure that there is a contractual provision which:
  • obliges the other party to notify your organisation of an eligible data breach of any shared information; and
  • provides a mechanism for the parties to determine which party will notify the affected individuals and OAIC; and
  • requires the notifying party to provide evidence to the other party of such notification.
• This will address the risk of your organisation being deemed to have contravened the NDB scheme in the event of a multi-party data breach through another party’s failure.

[1] The statistics in this article are taken from OAIC’s Notifiable Data Breaches Scheme 12-month Insights Report which is available on OAIC’s website: https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-statistics/notifiable-data-breaches-scheme-12month-insights-report/