Managing data breach risk in the public sector

Australian Government agencies have obligations to take reasonable steps to protect personal information.

Strong data management is integral to the operation of government agencies. Data breaches involving personal information can cause serious harm to affected individuals and, depending on an agency’s response, diminish community confidence in an agency’s information handling practices and disrupt operations.

The Notifiable Data Breaches (NDB) scheme was introduced in 2018 to drive proactive security practices to protect personal information and to require organisations that experience a data breach and are covered by the Privacy Act — which includes most Australian Government agencies — to be transparent and accountable. An agency that experiences a data breach involving personal information that puts individuals at risk of serious harm must notify the Office of the Australian Information Commissioner (OAIC) and those affected. This ensures individuals can take steps to mitigate harm.

The OAIC recently reported on data breach notifications received under the scheme from July to December 2020. For the first time since the scheme commenced, the Australian Government was among the top five industry sectors to notify data breaches.¹

Australian Government agencies reported 33 eligible data breaches to the OAIC — 6% of all data breaches notified during the period. Human error was the source of 29 Australian Government data breach notifications (88%), while two (6%) were the result of a malicious or criminal attack and two were caused by a system fault.

These statistics contrast with those for the private sector, where malicious or criminal attack, not human error, is the leading source of reported data breaches. From July to December 2020, malicious and criminal attacks accounted for 58% of notifications across all sectors, with human error causing 38% of breaches.

Addressing the human factor

Human error breaches generally result from a failure of process or procedure, or simple inattention to detail.

Of the Australian Government data breaches that resulted from human error, approximately half involved personal information being sent to a wrong person either by email or mail. A further nine resulted from unauthorised disclosure of personal information, either because of a failure to redact documents or from their unintended release or publication.

Australian Government agencies should consider introducing technical and process measures that mitigate the risk of errors of this nature. For example, disabling the auto-populate function for the address field for emails will limit the risk of them being sent to the wrong person. For emails with multiple recipients, warnings for the sender to double check the distribution list and to ensure use of the blind carbon copy feature can help to mitigate the risk of a data breach.

Agencies that store and regularly communicate sensitive personal information should adopt systems and processes that ensure its security at all stages of the information lifecycle and that align with the requirements of the Australian Government Information Security Manual and the Protective Security Policy Framework.

Reports received under the Notifiable Data Breaches scheme have confirmed the use of email for storing and communicating personal information is a privacy risk. Particularly for sensitive personal information, agencies should consider more secure options, which may include encrypting and password-protecting documents containing personal information, or transmitting them via websites, online mailboxes or drop boxes that provide additional security controls. Agencies should also consider introducing storage limits and archiving mechanisms for email accounts to limit the number of emails that staff retain.

Australian Privacy Principle 10 on the quality of personal information requires agencies to take steps to ensure that any personal information collected is accurate, up to date and complete. As this includes key contact information for individuals, agencies should regularly validate the records and contact details of individuals with whom they are communicating to ensure that correspondence is addressed correctly.

Agencies’ privacy and security governance arrangements should also include appropriate training and resourcing to foster a privacy- and security-aware culture among staff. This can be achieved through information security programs that recognise that this is not just an issue for compliance or ICT areas, but for all staff. These programs should be driven from the top down — senior management should actively support and promote good privacy and security practices.

Minimising cyber risk

On face value our statistics suggest that human error breaches pose the most obvious risk to Australian Government agencies. However, findings by both the Australian National Audit Office and Australian Cyber Security Centre (ACSC) on cyber maturity and resilience in the public sector suggest there is a need for agencies to continually improve how they manage the risk of cyber-enabled malicious and criminal attacks.

According to the ACSC, Australian Government agencies reported 436 cybersecurity incidents during the 2019–20 financial year — 220 of which resulted in “data exposure, theft, or leak”. This confirms that Australian Government agencies continue to confront an ongoing risk of data breaches from cyber attacks.

As with human error, agencies should put in place controls and technologies to mitigate the risk of cybersecurity incidents occurring. The ACSC’s Essential Eight should be the baseline for agencies.

Data breach response

Australian Government agencies must also have effective systems for detecting, containing, assessing, notifying and reviewing data breaches. The capacity of agencies to identify and respond to data breaches promptly and move to notify affected individuals as quickly as possible is fundamental to their ability to meet the Notifiable Data Breaches scheme’s requirements and objectives.

From July to December 2020, the Australian Government was at the bottom of the top five industry sectors when it came to the time taken to identify that a data breach had occurred, and the subsequent time taken to notify the OAIC.

Sixty-one per cent of government agencies identified an incident, subsequently assessed to be an eligible data breach, within 30 days of it occurring, compared to 75% across all sectors. And 58% of government agencies notified the OAIC within 30 days of becoming aware of the incident, compared to 78% across all sectors.

These figures suggest that Australian Government agencies should check that they are equipped to ensure an efficient data breach response. An agency’s capacity to mitigate the risk of data breaches and respond effectively when one occurs is as dependent as much on work practices and the associated human factor as it is on technological controls. Both must be factored into agencies’ processes and plans.

When designing a data breach risk mitigation and response plan, agencies should consider the entire spectrum of the information lifecycle, including what personal information they collect, how and where they store it, how they secure it, how it is transmitted and how long it is retained.

Australian Government agencies have obligations to take reasonable steps to protect personal information. Upholding a consistent, high standard of personal information handling practices to meet expectations for security, accountability and transparency in data breach prevention and management will maintain and build community trust.

Connor Dilleen is a Director in the Office of the Australian Information Commissioner’s (OAIC) Dispute Resolution branch. He leads the OAIC’s work program for the Notifiable Data Breaches scheme.

The OAIC has a range of guidance, advice and resources on data breaches, including a data breach preparation and response guide and a guide to securing personal information.

In addition to notifying the OAIC if a cyber incident results in an eligible data breach under the Notifiable Data Breaches scheme, agencies are encouraged to report the incident to the ACSC through cyber.gov.au or 1300CYBER1.

1. Government statistics in the OAIC’s Notifiable Data Breaches reports relate to agencies that are covered by the Privacy Act. The Privacy Act covers most Australian Government agencies. It does not cover a number of intelligence and national security agencies, state and local government agencies, public hospitals and public schools.

Image credit: ©stock.adobe.com/au/weerapat1003