Iam expecting CVT"s level of inbound inquiry will be considerably higher over the last quarter off the back of the Australian & European laws coming into affect. Looking forward to the upcoming quarterly to shed more light on this/
In the AFR today -
OAIC report reveals 63 data breach notifications in first six weeks of NDB scheme
More than 60 data breaches have been reported in the first six weeks of the country's new Notifiable Data Breach (NDB) scheme, with healthcare providers making up almost a quarter of the mandatory notifications.
Of the 63 notifications revealed in the first report by the Office of the Australian Information Commissioner since the laws came into effect on February 22, legal, accounting and management services businesses made up 16 per cent, while finance institutions composed 13 per cent.
IBRS cyber security advisor James Turner said many companies in the healthcare sector still did not realise the gravity of the responsibility on their shoulders in terms of keeping people's data safe.
"I've been talking to healthcare providers around the traps and I'm stunned by the lack of awareness of the NDB scheme. I'm hoping the industry bodies and royal colleges are doing something to raise awareness," he said.
"We have a number of large healthcare organisations listed on the ASX, but to my knowledge only one of them as a chief information security officer. It shows these organisations don't have a sufficient understanding of the risks they're dealing with whether they like it or not."
Advertisement
Just over 50 per cent of the breaches reported to the OAIC were attributed to "human error", which includes inadvertent disclosures, such as sending a document that contains personal information to the incorrect recipient.
"In the 2016–2017 financial year, 46 per cent of the data breach notifications received by the OAIC voluntarily were also reported to be the result of human error," acting privacy commissioner Angelene Falk said.
"This highlights the importance of implementing robust privacy governance alongside a high-standard of security." Human error
In contrast to the first six weeks of the NDB scheme, the OAIC only received 114 self-reports of data breaches for the whole of the 2016-17 financial year.
While the majority of breaches were caused by human error, cyber criminals were not far behind, making up 44.4 per cent of the data breaches. IT system faults were the cause of only two of the 63 breaches. The first data breach to be publicised under the laws occurred at sea safety and support company Svitzer Australia, which revealed the email accounts of three Australian employees had been compromised between May 27, 2017 and March 1, 2018, with emails auto forwarded to two external accounts. After discovering the breach, the company stopped the theft within five hours.
The OAIC report showed 73 per cent of the data breaches involved the personal information of fewer than 100 individuals, but there were three cases in which the information of between 10,000 and 99,999 people was compromised. The report did not detail the outcomes of the three cases or how they came about.
"Those three breaches impacted more people than the rest of the breaches combined – they're not small in scope," Mr Turner said.
"It would be interesting to know too how most of these organisations discovered the breach. Was it by themselves, or was it by a third party? ... It's not just the good guys like Microsoft making the phone calls. There are vendors out there trawling the dark net for sensitive information."
About 78 per cent of eligible data breaches were reported to involve individual's contact information, while 33 per cent were reported to involve health information and 30 per cent included financial details.