Australian authorities had to formally invoke powers to get a client list from a breached IT services provider, as problems persist in getting organisations to notify data breaches in a timely fashion.
The issue of Australian organisations either seeking to downplay or delay mandatory notification of a data breach was raised more than two years ago.
A regulatory report, released Tuesday, shows the issue persists.
“Prompt notification ensures individuals are informed and can take further steps to protect themselves, such as being more alert to scams,” Australian information commissioner and privacy commissioner Angelene Falk said in a statement.
“The longer organisations delay notification, the more the chance of harm increases.”
The Office of the Australian Information Commisioner (OAIC) said [pdf] a ransomwared IT service provider notified its health service provider customers – hoping they would, in turn, notify patients – but declined to give their client list to the office.
The OAIC said it “became aware” of the incident, suggesting it had not been properly disclosed.
The provider only turned over its client list after receiving a written notice from the OAIC compelling it to do so.
“This information enabled the commissioner to ensure the affected individuals were notified and that all entities involved in the data breach complied with the notifiable data breaches scheme,” the OAIC said.
In a second case, the OAIC said it stopped short of issuing a written notice, but it still admonished another breached company that “advised it was unable to confirm if the incident was an eligible data breach or answer any questions until [an] analysis was completed.”
The company asked for “10 to 12 weeks” to complete the work.
The OAIC also expressed frustration at what it saw as delaying tactics by some entities in hiding behind forensics and investigative work, before assessing the impact of a suspected breach.
The office’s expectation is for an assessment and investigation to occur “simultaneously” or “in quick succession”.
The OAIC further said that if there was doubt an eligible breach had occurred, organisations should presume a breach had occurred and act accordingly.
“Conclusive or positive evidence of unauthorised access, disclosure or loss is not required for an entity to assess that an eligible data breach has occurred,” it said.
The OAIC said that data exfiltration is also not to be used as a “determinative factor” for whether a breach occurred.
“An eligible data breach can occur based on unauthorised access alone and individuals’ data can be stolen by less traceable means, such as screenshots,” it said.
“Entities need to consider all the information that was accessed by a threat actor, or the information that was accessible to them.”
The raw number of notifiable data breaches in the first six months of the year fell by 16 percent to 409.