Read the full story
System faults occur due to a business or technology process error. Whilst they only account for a minority of all notifications under the Notifiable Data Breach (NDB) scheme, they disproportionately go unidentified and unreported for long periods of time.
According to the latest report from the Office of the Australian Information Commissioner (OAIC), system faults cause 5% of breaches, considerably less than either malicious or criminal attack (65%) or human error (30%). Despite this, there tend to be considerable delays in reporting breaches due to system faults to the OAIC. In fact, 30% of breaches due to system faults are reported to the OAIC more than a year after the breach.
This delay in identifying and reporting system fault breaches is a cause for concern as a key objective of the NDB scheme is to ensure that an entity that experiences a data breach provides timely notification, ideally within 30 days, to individuals at risk of serious harm from the breach. Delays in assessment and notification reduce the opportunity for an individual to take steps to prevent harm.
It highlights the fact that an organisation’s processes are not ‘set-and-forget.’ There is a need for all organisations to regularly review and update their business and technology processes to ensure they are fit for purpose. Ideally, such reviews should be undertaken annually and would benefit from external expertise to independently assess the efficacy of all relevant processes, particularly as they pertain to an organisation’s responsibilities under the NDB scheme.