The legal, accounting and management services sector provided the OAIC with the third highest number of data breach notifications in the reporting period of July to September 2018.
With 34 data breaches total, the sector ranked only behind health service providers (45 breaches), and the finance industry, inclusive of superannuation (35 breaches).
Across 245 total notifications from 1 July to 30 September, the legal, accounting and management services sector accounted for 14 per cent of the total number of recorded breaches during the period.
The sector showcased an even split between breaches arising out of human error and malicious or criminal attacks, with 17 apiece.
Causes of notifiable data breaches in the sector included a failure to use BCC when sending an email, the loss of paperwork or a data storage device, the sending of private information to a wrong recipient via email and ordinary mail, the delivering of private information to the wrong individual in some other way and the unauthorised disclosure of information through the unintended release or publication of such details.
Interestingly, the sector recorded the highest number of cyber incidents out of the top five, with fifteen data breaches attributable to a “cyber incident.” Most of these incidents occurred through the compromising of credentials by phishing, with isolated instances of “brute-force attack”, hacking, malware and unknown methods of compromising credentials also recorded.
Two instances where paperwork or data storage devices were stolen also resulted in notification of the OAIC.
On a slightly more positive note, the legal, accounting and management services sector was the only segment within the top five (that also named education and personal services), that did not record any breaches as a result of a system fault.
Overall, the legal and accounting data breach trends did not appear to be wholly reflective of wider security breaches, where out of the 245 total recorded breaches, approximately 57 per cent of all data breaches were caused by malicious or criminal attack and only thirty-seven per cent were caused by human error in this quarter.
The Australian information commissioner and privacy commissioner Angelene Falk said as part of “business as usual”, staff need to be trained on how to identify and prevent privacy risks.
She highlighted the importance of everyone handling personal information as part of their work needing “to understand how data breaches can occur so we can work together to prevent them.”
“Organisations and agencies need the right cyber security in place, but they also need to make sure work policies and processes support staff to protect personal information every day,” Ms Falk emphasised.
The Privacy Act requires agencies and organisations “take reasonable steps to secure personal information.”
Organisations required by the OAIC to notify it of data breaches include Australia government agencies, businesses and not-for-profit organisations with an annual turnover of $3 million-plus, credit reporting bodies, health service providers, and TFN recipients.
Lawyers Weekly was recently joined by a panel of professionals to discuss regulatory and legislative updates impacting how lawyers can and must protect data, current threats, and cyber security solutions. The webinar Security breaches: Is your firm protected? is available for viewing here.