Insights from the H12021 OAIC Notifiable data breach report – Privacy – Australia – Mondaq News Alerts


Did you know that camDown FREE helps stop hackers from getting access to the webcam that I use for my work. Now I can get even more gigs as a freelancer and advertise that I have top security with my home computer?


Insights from the H12021 OAIC Notifiable data breach report

29 August 2021

Gilchrist Connell

To print this article, all you need is to be registered or login on

In its latest notifiable data breaches report, The Office of the
Australian Information Commission (OAIC), in
addition to the usual notification statistics, has given guidance
on certain aspects of eligible data breach assessments. It has also
identified basic measures businesses should have implemented to
deal with data breaches.

Number and causes of notified breaches

446 breach notifications were made in the first half of 2021,
which represents a 16% drop in
notifications compared to the second half of 2020.

The drop in the number of notifications appears unusual given
anecdotal indications that there were more social engineering and
cyber incidents in the period.

Consistent with a rise in such incidents, 65% of all
notification breaches in the period resulted from malicious or
criminal attacks (compared to 57% in the previous period). Human
error remains a significant cause of data breaches, accounting for
30% of all breaches notified.

Guidance provided by the OAIC in the report (discussed further
below) suggests the manner in which certain cyber incidents were
assessed may have resulted in an under reporting of breaches.

Most affected industries

The industry sectors that, once again, notified the most
breaches in the past 6 months were:

  • health service providers
  • finance
  • legal, accounting and management services

This has been a consistent trend since the commencement of the
breach notification regime in February 2018. It aligns with these
industries holding and handling a greater volume of valuable
personal information in their day to day function and the ability
of threat actors to benefit financially from any personal
information exfiltrated from businesses in these industries.

Assessment commentary

The OAIC in the report has helpfully provided guidance on
various aspects of the notification assessment process. Through
case examples, the OAIC indicated:

  • that it generally considers scenarios where there is a
    'lack of evidence' preventing an entity from confirming if
    a threat actor has accessed, viewed or exfiltrated data will result
    in reasonable grounds to believe that an eligible data breach may
    have occurred;
  • that it is likely to consider successful impersonation fraud to
    be an eligible data breach;
  • the extent to which it expects remedial steps taken by a
    business to have prevented the likelihood of serious harm before a
    business can rely on those steps to conclude there has not been an
    eligible data breach.

The guidance provided is very much welcomed and we look forward
to similar guidance on other scenarios businesses commonly face
when assessing if there has been an eligible data breach.

Expected policies and procedures

In addition to assessment guidance, the OAIC highlighted some of
the policies and procedures it expects businesses to have in place
to meet their obligations under the Privacy Act. This

  • regularly reviewing security measures, controls and identity
    verification processes intended to minimise the risk of
    impersonation fraud;
  • having appropriate internal practices, procedures, and systems
    to undertake a proper assessment of whether a cyber incident has
    resulted in an eligible data breach; and
  • having appropriate audit and access logs, a routinely tested
    backup system and an appropriate incident response plan.

Businesses must address cyber risk

The assessment guidance and expectations of policies and
procedures that businesses should have in place aligns with advice
we have given businesses when assisting them address cyber risk or
dealing with a cyber incident.

Having adequate measures in place to address cyber risk,
including suitable policies and procedures, is imperative to
limiting the risk of compromise, minimising costly downtime and
facilitating prompt data recovery for business continuity and

Businesses that suffer a cyber incident need to ensure they take
the right steps in response to limit the damage caused and deal
with obligations to stakeholders and imposed by regulations.

If you need help to gauge or improve your cyber resilience, or
to deal with a cyber incident, we can assist with a range of
services and expertise.

The OAIC Notifiable Data Breaches Report: January-June 2021 can
be accessed here.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Privacy from Australia

Lastly, now let's stop for a moment and consider that camDown FREE helps make you invisible to hackers and guard your personal data and I am certain your friends would say the same!