OAIC finds 'multiple' Australian companies downplaying data breaches

Australia’s privacy watchdog has taken aim at a growing number of organisations that it says take too long to assess data breaches or that downplay the significance in customer notifications.

The Office of the Australian Information Commissioner (OAIC) issued multiple warnings in its latest report [pdf] on notifiable data breaches (NDB).

While acknowledging the complexity of some breaches, the OAIC said it was “increasingly ... seeing instances of organisations taking much longer than 30 days to complete their assessments, with further significant delays before they notify affected individuals.”

“Additional time taken to assess a breach must be reasonable and justified in the circumstances, with notification to individuals to occur as soon as practicable,” the OAIC said.

“Unnecessarily delayed notifications undermine the NDB scheme by denying affected individuals the ability to take timely steps to protect themselves from harm.”

The OAIC report revealed that three percent of the 539 data breaches reported between July and December last year - equivalent to 16 in real terms - took more than a year to be identified.

It wasn’t just slow responses that irked the OAIC - it was also the way some breaches were ultimately disclosed.

“There were multiple instances where entities’ notifications to individuals were deficient,” the office said.

“In these instances, the OAIC required that the notifications be revised and reissued.”

In some cases, breached organisations “provided individuals affected by a data breach with relatively generic advice that their ‘personal details’ may have been exposed”, without listing the types.

“In other instances, notifying entities did not provide affected individuals with sufficient information regarding the data breach to understand the risk arising from it,” the OAIC said.

“For example, an entity notified the OAIC of a data breach caused by social engineering where a staff member of the entity was deceived by a malicious actor into disclosing personal information about other individuals. 

“However, the entity only advised individuals affected by the data breach that it involved a disclosure of their personal information to an ‘unintended recipient’. 

“In response to the OAIC’s inquiries, the entity acknowledged that it had incorrectly paraphrased the description of the eligible data breach and reissued the notification to clarify that it involved a malicious actor.

“Examples such as these may not only fall short of reporting obligations but also adversely affect an individual’s ability to make an informed decision about how to best mitigate harm.”