Mandatory reporting brings spike in breach notifications
A wave of companies have reported data breaches since the introduction of mandatory reporting.
The Notifiable Data Breaches scheme, implemented six weeks ago, requires companies that hold personal information to notify affected customers when data is involved in a breach likely to result in serious harm. Companies must also report the breach to the Office of the Australian Information Commissioner.
The commissioner’s office says 63 breach notifications have been reported since the scheme was implemented – a rate of two every business day.
Last financial year only 114 data breaches were voluntarily reported.
Half the notifications to the commissioner’s office involve human error, while 44% arise from malicious or criminal attacks.
The top five sectors are health service providers (15 breaches reported), legal, accounting and management services (10), finance (eight), private education (six) and charities (four).
About 78% of the breaches involve individual contact information, 33% health information, 30% financial details and 24% identity information such as a driver’s licence number or passport number.
In 73% of reported breaches the personal information of fewer than 100 individuals was compromised. About 27% involve more than 100 people and more than half involve 1-9.