EXCLUSIVE: Australian organisations have reported over 3,000 data breaches since the Notifiable Data Breaches (NDB) scheme began in early 2018, but skeleton staffing means its government overseer has only completed three investigations to ensure companies are meeting their obligations.

The 81 new data breaches reported monthly, on average, are being processed and followed up by an NDB team of just three people, one of whom is part-time, according to an Information Age Freedom of Information (FOI) request that revealed the 140-strong Office of the Australian Information Commissioner (OAIC) had conducted just 10 Commissioner Initiated Investigations (CIIs) into reported breaches.

Just three investigations had been completed, with four launched in the weeks after the FOI request was submitted.

Of the seven investigations active as at 30 September, four targeted data breaches involving 367 or fewer individuals.

One related to a breach involving 8,874 individuals and had been ongoing for over two years; another, commenced in August, affected approximately 50,000 individuals.

The seventh investigation related to a breach involving 1.7m individuals – the only one of 69 major breaches (each involving 100,000 or more records) that the OAIC had investigated.

No identification of victims without consent

The investigated incidents represent just 0.3 per cent of data breach notifications (DBNs) lodged with the OAIC; in the rest of the cases, the agency seemingly relies on companies’ assurances that they have contacted all affected individuals.

While media reports of breaches ensure that concerned customers can change passwords or follow up with the companies, the OAIC refused to provide similar clarity by naming organisations that lodged DBNs.

A FOI request for such details was declined because the three-strong team would have to manually scour “all documents on the 69 files” – comprising an estimated 7,815 pages of documents, about 98 per cent of which “contain third-party information that requires consultation”.

OAIC policy is to “respect the confidence of commercially or operationally sensitive information provided voluntarily in support of a data breach notification”, the agency argued, and it will only publish details of breaches where reporting organisations consent.

Yet the NDB team is too small to even try to obtain such consent: “In the event information has been provided in confidence, which is likely,” the agency said, “the OAIC would need to consult with up to 69 notifying entities about their notifications and the FOI request… This would substantially and unreasonably divert the resources of this agency from its other operations.”

Focus on repeat offenders

Despite its stated pro-consumer goals, the responses reflect the OAIC’s ongoing challenges in managing Australians’ exposure to cybercrime.

An OAIC spokesperson said the agency “monitors matters as they are notified and prioritises certain NDBs that require immediate attention”, pointing to the regular statistical abstracts that are widely read and cited within cyber security circles.

Lack of transparency, however, offers no way to confirm that breached companies have met their obligations to notify and support the people whose data they failed to protect.

The NDB scheme, the spokesperson said, is not about punishing companies but “protecting individuals by allowing them to respond quickly to mitigate the risk of harm when their personal information is compromised”.

Some 80 per cent of DBNs were finalised within 60 days of being reported, generally “on the basis that the entity has met the requirements of the NDB scheme and taken steps to prevent reoccurrence”.

“If the OAIC identifies serious or repeated non-compliance with the assessment and notification requirements of the NDB scheme, the Commissioner has a range of regulatory options available.”

“The OAIC has made preliminary inquiries with a number of entities across a range of sectors regarding repeat data breach notifications.”

A trend towards transparency

Concerns about the NDB scheme’s transparency have lingered for years, with one 2016 analysis flagging transparency issues in the then-evolving legislation.

The OAIC’s decision to reduce reporting from quarterly to semi-annually – which came into effect after its 30 June 2019 report – further reduced transparency, presumably to reduce the reporting burden on its tiny NDB team.

The decision not to name and data breach victims contrasts with the growing trend towards sharing information about incidents – for example, the recent compromise of 80,000 SA government employees’ data or the breach of Queensland power company CS Energy’s corporate systems.

Such disclosure, however, is generally left to companies or exposed by customers whose services are interrupted; the ACSC, for one, mainly sees its guidance around incident reporting as being used “as an input to future risk assessment activities”.

State privacy regulators have a range of policies around disclosing breach details: Queensland government guidelines, for example, “strongly encourage” agencies to report breaches and to “notify affected individuals in appropriate circumstances”.

“Doing so is good privacy practice and promotes openness and transparency.”

And while cyber security has become a board-level risk like financial or other metrics, the lack of mandatory reporting is out of step with greater reporting on financial risk.

New ASIC financial-services policies, for example, mandate reporting of compliance breaches with plans to publish this data from late 2022.

Business consultancies concur, with PwC noting that reporting on cyber security is “thin on the ground…. [but] responsible and accountable companies need to confront these challenges.”

“While companies may be forgiven for feeling nervous about reporting in more detail on cyber security, it will increasingly be expected and omissions noted…. Key stakeholders are keen to hear more and regulators will increasingly require better disclosure.”