The Australian Information Commissioner and Privacy Commissioner, Angelene Falk, has criticized Australian organizations for their slow data breach notification processes. Falk emphasized the need for swift notifications rather than prolonged analysis, as delays can put affected individuals at risk. While there has been an improvement in breach reporting, Falk urged organizations to do better.
In the first half of 2023, Australian organizations reported 409 breach incidents, with 70% attributed to malicious or criminal attacks. These figures indicate progress, with 74% of organizations reporting breaches within 30 days, but Falk stressed the importance of quicker responses to reduce harm.
Despite improvements, Falk highlighted that some organizations took more than four months to report breaches, emphasizing that prompt notification allows individuals to take protective measures. The delay increases the risk of harm to affected parties. Falk encouraged organizations to prioritize notifying affected individuals as soon as possible, emphasizing the need to perform assessments and investigations simultaneously.
The Australian Information Commissioner stated that conclusive evidence of unauthorized access, disclosure, or loss is not always required to assess an eligible data breach, as unauthorized access alone can constitute a breach.
Falk also noted variations in the detection of breaches, with 78% of organizations identifying breaches within 30 days, while others took up to 12 months. Organizations generally identified breaches resulting from malicious attacks and human error more quickly than those due to system faults.
Falk warned about the “mosaic effect” used by malicious actors who aggregate stolen information for phishing scams and identity theft. She emphasized the importance of robust controls to minimize data breach risks and the need for organizations to be alert to evolving cybersecurity threats.
