It’s a year since the introduction of the mandatory privacy breach reporting regime and Allan Yeoman of law firm Buddle Findlay says several high-profile breaches have tested the reporting requirements.
The Office of the Privacy Commissioner (OPC) says that of 697 privacy breaches reported between 1 December 2020 and 31 October 2021, one third met the threshold for serious harm.
Yeoman says this suggests a tendency toward over-reporting as organisations came to grips with the new requirements and adopted a conservative approach.
“Almost four times as many breaches were reported between this period than between 1 December 2019 and 31 October 2020,” he says in a blog post.
More than a third of serious breaches involved emotional harm. This is treated separately from other types of harm commonly reported, such as:
- Reputational harm – 14%
- Identity theft – 13%
- Financial harm – 11%
“Human error accounted for 62% of serious privacy breaches reported, and within that category, the most common type of error was email error such as sending an email to the wrong person, attaching the wrong documents, or not BCC’ing when sending to multiple recipients,” writes Yeoman.
“In comparison, only 25% of serious breaches were caused by malicious attacks and 6% by theft of information.
“The remainder were attributable to system fault and other causes. The OPC will be in equal parts encouraged and frustrated that such a large proportion of reported breaches are preventable.”
Yeoman says 2021 has been a settling-in period for the mandatory notification regime, with many businesses forced to make judgment calls about whether or not to notify and (based on the OPC’s data) appearing to err on the side of caution.
“With greater experience of the regime, and additional guidance from the OPC, it is hoped that a more consistent approach to notification and serious harm thresholds will be developed, leading to greater certainty about when notification is required,” he writes.
He expects the OPC to take a more hands-on approach in monitoring breach reporting and calling out instances where it considers reporting obligations haven’t been met.