Error flags on breaches
THE first snapshot of data breaches in big Australian organisations shows human error is as big a risk as malicious attack.
Highlighting the first report into the Notifiable Data Breach scheme, Geelong lawyer Paul Gray said knowing the questions to ask about data security and how to mitigate risk was part of the battle for business managers.
“From a governance perspective, directors ought to know the questions they should be asking their IT folk about data security, and accessing a sensible framework for this is becoming easier,” said Mr Gray, a principal lawyer at Harwood Andrews.
Human error caused about half of the 62 breaches reported, while malicious attacks involving the theft of personal information or cyber security incidents were mostly responsible for the other half.
One in three of the breaches involved health information.
“Technology will solve many issues, but businesses need to appreciate the weakest link will almost always be a human,” Mr Gray said.
“Investing in training, good policy development and internal communications will go a long way to mitigating the risks most businesses face on data security.”
The Government’s Notifiable Data Breaches scheme, which started on February 22, requires all agencies and organisations with personal information security obligations under the Privacy Act to report a breach if it is likely to result in harm to any individuals whose personal information is involved in the breach.
The scheme’s first quarterly report shows 32 breaches were attributed to human error, which could include inadvertent disclosure of information to the wrong recipient; 28 were due to malicious or criminal attack while system faults accounted for two.
The health industry reported the most incidents (15). This was followed by legal, accounting and management services (10) and finance (eight).