Australian Information Commissioner Office’s Releases Report on Notifiable Data Breach Scheme

The Office of the Australian Information Commissioner (OAIC) released its second quarterly statistics report into the Notifiable Data Breach Scheme on 31 July 2018 (Report), providing further insight into the operation of the new scheme, which commenced February this year. The scheme provides for mandatory reporting of ‘eligible’ data breaches to the OAIC and to potentially affected individuals. Whether a data breach is eligible depends on whether the unauthorised disclosure, or loss, of data is likely to result in serious harm to affected individuals.

The OAIC recorded over 200 data breach notifications in the Report period between 1 April and 30 June 2018.  The OAIC previously released data breach notification figures for the period spanning 22 February, when the schem commenced, to 31 March 2018. During this short six-week period the OAIC received approximately 10 notifications per week. IN the second reporting period the notification rate has increased, with the OAIC recording approximately 18 notifications per week.

In total, the OAIC received 242 data breach notifications in the second quarter of 2018, taking the total number of notifications received since the scheme’s implementation to 305.

The Report highlighted harrowing data breach figures, recording a number of significant data breaches, including a breach which affected between 1 to 10 million Australians. The Report does not offer exact figures for the number of Australians affected by data breaches in the most recent quarter, but does provide a series of bands indicating the range of individuals affected by each incident. The majority of data breaches involved relatively small groups of affected people with 61% of data breaches involving 100 individuals or fewer, and 38% affecting fewer than 10 Australians. While these figures provide some comfort, even where the numbers are low it does not follow that the level of harm is also low.

A significant proportion of breaches affected far broader sections of the community. Over 14% of all notifications received by the OAIC affected more than 1,000 individuals.  Undertaking a general analysis of the figures provided, treating each incident as if it were the median figure of its respective band, the Report indicates that up to 5.3 million Australians have been impacted by a data breach in the most recent quarter alone.

The Report provides much needed clarity into the nature of data breaches occurring in Australia, helping businesses to target their efforts at prevention. Figures provided in the OAIC’s first quarter report indicated that the cause of data breaches is evenly split between malicious or criminal attack and human error at 44% and 51% respectively. However, the updated second-quarter figures provide a more one-sided picture, citing 59% of breach notifications as a result of malicious or criminal attacks, while the percentage of human error reduced to 36%. Considering the figures provided by the OAIC through 2018 so far, the total breakdown by breach type is as follows:

Type of Breach Percentage
Malicious or Criminal 56%
Human Error 39%
System Failure/Other 5%

These figures highlight the importance of a dual-layered approach to cyber-security and privacy compliance. Robust information-technology and cyber-security safeguards to protect against malware, ransomware and other cyber-attacks are not enough – in order to fully protect personal information from unauthorised access, disclosure or loss, the human element of any organisation must be addressed. An organisation’s cyber-security is not a case of “set and forget”. Adequate data protection compliance will only be achieved through the implementation of clear and thorough information handling policies and through ongoing training and evaluation of staff conduct to minimise the inevitable “human error”.

If you would like to review the Report in detail please visit the OAIC’s website, available here, for further information.

New Investigation Program of the French CNIL for 2018

The French data protection authority (CNIL) has published its annual investigation program for 2018, which is the first since the GDPR came into force on May 25, 2018. The report indicates that the CNIL intends to conduct over 300 investigations (onsite, online or per request of documentation or formal hearing) and will focus on the areas noted below. Continue Reading

Recent Guidance by ONC and SAMHSA Sheds Light on Compliance Requirements for 42 CFR Part 2

Recently, Anne Harrington, Jennifer Tharp and Elliot Golding contributed an article to our Triage Health Law blog. The article looks at the two new fact sheets released by the Substance Abuse and Mental Health Services Administration that provide guidance on the confidentiality of substance use disorder patient records (42 CFR Part 2). The first fact sheet helps providers understand how to properly disclose information if they qualify as a Part 2 Program, and the second sheet focuses on the electronic exchange of healthcare records with a Part 2 Program.

Read the full post online.

Post GDPR Rise in Data-Related Complaints and Data Breach Notifications

Regulators across Europe, have recorded a sharp increase in the number of data-related complaints and data breach notifications since the General Data Protection Regulation (GDPR) came into force on 25 May 2018. The GDPR has radically reshaped how businesses can collect, use and store personal information. As a result of the new and expanded rights for people to know how their data is being used, and to decide whether it is shared or deleted, regulators are being overwhelmed with complaints and businesses are increasingly finding themselves subject to data breaches. Continue Reading

Supreme Court Takes Another Step to Keep Up With the Digital Times: Criminal Procedure and Cell Phone Records in Carpenter

Personal location information held by a third party now receives heightened protection from disclosure to law enforcement

Thanks to Timothy Ivory Carpenter, Cell Site Location Information (“CSLI”) is now part of our vernacular.  More important, in light of the Supreme Court’s June 2018 ruling in Carpenter v. United States, a company’s collection and retention of a person’s historical whereabouts (location information) now receives heightened protection from search and seizure by law enforcement.    Continue Reading

European Parliament Calls on US to Show Compliance with EU-US Privacy Shield Within Two Months

The European Parliament plenary adopted on 5 July 2018 the LIBE Committee’s Motion for Resolution on the EU-US Privacy Shield (‘Privacy Shield) indicating the general Parliament’s position towards its functioning. The non-binding resolution calls for the suspension of the Privacy Shield unless the US demonstrates compliance with its requirements by 1 September 2018.  As per our previous post, the European Parliament considers that the personal data protection provided by the Privacy Shield is not adequate.  Continue Reading

California’s Consumer Privacy Act of 2018

California’s newly enacted Consumer Privacy Act of 2018 is the strictest of the US’s patchwork of privacy related regulations. The Act will impact any legal entity that (i) does business in California, (ii) is operated for the profit or financial benefit of its owners, (iii) collects consumers’ personal information and determines the purpose and means of processing such information, and (iv) satisfies at least one of the following three conditions:

  • Has an annual gross revenue of over $25 million
  • Alone or in combination, annually buys, receives, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households or devices, or
  • Derives 50% or more of its annual revenues from selling consumers’ personal information

Continue Reading

Scrutiny of EU-US Privacy Shield

On 12 June 2018, the Civil Liberties, Justice and Home Affairs Committee (the ‘Committee’) of the European Parliament passed a Resolution, with a vote of 29 votes in favour, 25 opposed and 3 abstentions, calling on the European Commission to suspend the EU-US Privacy Shield arrangement (‘Privacy Shield’).

The Resolution calls for the international data transfer framework to be suspended unless the US demonstrates compliance by 1st September 2018, since it ‘fails to provide enough data protection for EU citizens. Continue Reading

Law360 Expert Analysis: Health Tech Is The New Focus For Cybersecurity Policy

In an article posted in Law360 Expert Analysis on May 22, 2018, Squire Patton Boggs partner Elliot Golding describes how the rise of health care smart devices and tracking apps has intensified the focus on data privacy and cybersecurity within the health care industry.  Subsequently, new and proposed government and regulatory initiatives are underway.

Additional insights and analysis, including details on regulatory, government action, privacy/security and other related issues related to vendor management, planning and training may be found here.

LexBlog