[BreachExchange] OAIC finds 'multiple' Australian companies downplaying data breaches

[Destry Winant]

https://www.itnews.com.au/news/oaic-finds-multiple-australian-companies-downplaying-data-breaches-560345

Forces them to redo customer notifications.

Australia’s privacy watchdog has taken aim at a growing number of
organisations that it says take too long to assess data breaches or
that downplay the significance in customer notifications.

The Office of the Australian Information Commissioner (OAIC) issued
multiple warnings in its latest report [pdf] on notifiable data
breaches (NDB).

While acknowledging the complexity of some breaches, the OAIC said it
was “increasingly ... seeing instances of organisations taking much
longer than 30 days to complete their assessments, with further
significant delays before they notify affected individuals.”

“Additional time taken to assess a breach must be reasonable and
justified in the circumstances, with notification to individuals to
occur as soon as practicable,” the OAIC said.

“Unnecessarily delayed notifications undermine the NDB scheme by
denying affected individuals the ability to take timely steps to
protect themselves from harm.”

The OAIC report revealed that three percent of the 539 data breaches
reported between July and December last year - equivalent to 16 in
real terms - took more than a year to be identified.

It wasn’t just slow responses that irked the OAIC - it was also the
way some breaches were ultimately disclosed.

“There were multiple instances where entities’ notifications to
individuals were deficient,” the office said.

“In these instances, the OAIC required that the notifications be
revised and reissued.”

In some cases, breached organisations “provided individuals affected
by a data breach with relatively generic advice that their ‘personal
details’ may have been exposed”, without listing the types.

“In other instances, notifying entities did not provide affected
individuals with sufficient information regarding the data breach to
understand the risk arising from it,” the OAIC said.

“For example, an entity notified the OAIC of a data breach caused by
social engineering where a staff member of the entity was deceived by
a malicious actor into disclosing personal information about other
individuals.

“However, the entity only advised individuals affected by the data
breach that it involved a disclosure of their personal information to
an ‘unintended recipient’.

“In response to the OAIC’s inquiries, the entity acknowledged that it
had incorrectly paraphrased the description of the eligible data
breach and reissued the notification to clarify that it involved a
malicious actor.

“Examples such as these may not only fall short of reporting
obligations but also adversely affect an individual’s ability to make
an informed decision about how to best mitigate harm.”