February 2021 marked the three year anniversary of the introduction of the Notifiable Data Breaches Scheme (NDB Scheme) in Australia. This milestone is an important reminder for health service providers to familiarise themselves with their privacy and cyber security obligations.
Under the NBD Scheme, there is a legislative obligation for entities who are covered by the Privacy Act 1988 (Act) to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm to an individual whose personal information is involved in the data breach (Eligible Data Breach).
Eligible data breaches may include those which result from a cyber security incident. The Australian Cyber Security Centre has reported that between 1 July 2019 to 30 June 2020, on average, one cybercrime was reported every ten minutes with the most common types of cyber security incidents being caused by ‘malicious emails’ and ‘compromised systems.’ From 1 January 2020 to December 2020, outside of government and individuals, the health sector reported the highest number of cyber incidents.
In January 2021, the OAIC released its latest Notifiable Data Breaches Report (Report) which related to notifications during the period July to December 2020 (Period).
The Report confirmed that:
- There was a 5% increase of data breach notifications in the Period compared to the previous six months, being a total of 539 data breach notifications;
- In relation to cyber incidents, malicious or criminal attacks remain the leading source of breaches notified to the OAIC (58%) followed by ransomware, hacking, compromised credentials and malware; and
- 78% of entities notified the OAIC within 30 days of becoming aware of an incident.
Interestingly, the Report confirmed that health service providers notified the most data breaches during the Period (23%) which was the most of any sector.
Timely assessment and notification
Pursuant to section 26WH of the Act, entities are required to take all reasonable steps to conduct an assessment of any incident suspected to be an Eligible Data Breach within 30 days and then promptly notify both the OAIC and affected individuals.
However, the OAIC is increasingly seeing instances of entities taking much longer than 30 days to complete their assessments with further significant delays before affected individuals are notified.
Any additional time taken to assess a breach must be reasonable and justified which is often not the case. One of the main concerns for the OAIC is that any unnecessary delay in providing this information to affected individuals undermines the purpose of the NDB Scheme by denying affected individuals the ability to take timely steps to protect themselves from harm, for example, by contacting their bank and / or changing their account password which may have been impacted by the data breach.
Content of notifications
During the Period, the OAIC noted that there were multiple instances where entities’ notifications to individuals were deficient and did not include all the legislative requirements. In situations where the notifications have been deficient, the OAIC has required the entity to revise and reissue their notification.
Under the Act, entities must provide the following information to the OAIC as soon as practicable after becoming aware that there are reasonable grounds to believe there has been an Eligible Data Breach:
- the identity of the entity and their contact details;
- a description of the Eligible Data Breach;
- the kind or kinds of information involved in the data breach; and
- recommendations about the steps that individuals should take in response.
A notification must also be provided to the affected individuals which reflects the content of the statement provided to the OAIC to ensure that affected individuals can make informed decisions about how to best mitigate harm. This must be done as soon as practicable.
What can you do?
The OAIC is mindful that the NDB Scheme has now been in operation for three years and entities are expected to have systems in place to report breaches pursuant to the requirements under the Act.
As such, it is important that health service providers ensure that:
- They review their cyber security policies and NBD Response Plan or, if they do not have these policies / plans, ensure such policies / plans are implemented;
- Staff are trained to identify data breaches (including cyber incidents) and are aware of the steps they need to take if such a breach occurs;
- They complete a timely assessment of the data breach and notify the OAIC and affected individuals within 30 days, ensuring that a notification complies with the requirements of the Act; and
- If they have any indication there has been a cyber incident that they immediately contact their medical defence organisation or insurer and obtain timely legal and IT advice.
This article was written by Karen Keogh, Partner and Patricia Marinovic, Senior Associate.