Office of the Australian Information Commissioner's new report on the first year of the Notifiable Data Breaches Scheme

The Office of the Australian Information Commissioner (OAIC) has released a "12-month Insights Report" to mark the one year anniversary of the introduction of the Notifiable Data Breaches Scheme in Australia (NDB Scheme).

The NDB Scheme applies to organisations which are subject to the Privacy Act 1988 (Cth), which includes all organisations with an annual turnover of $3 million or more. The NDB Scheme requires that these organisations notify affected individuals and the OAIC of any data breach which occurs and which is likely to cause serious harm to the individuals whose personal information is involved. Failure to comply with the NDB Scheme can lead to fines of up to $2.1 million.

The Report provides an analysis of the 964 data breaches reported in the first year of the NDB Scheme's operation, and sets out various statistics on the nature, cause, remedial action and lessons learnt from those breaches. Some key statistics from the Report include that:

• 60% of notifiable data breaches were traced back to malicious or criminal attacks;
• the leading cause of data breaches was phishing, whereby individuals were tricked by scam emails or links into giving the attacker their credentials and so allowing them to gain access to systems; and
• over a third of all notifiable data breaches were directly due to human error. Human error included insecure disposal of information, sending an email to the wrong recipient, unauthorised disclosures, and loss of devices.

These statistics demonstrate that notifiable data breaches are occurring on a more than daily basis, and organisations cannot simply assume it will not happen to them. It is imperative that our clients are both prepared in the event that they suffer a breach, and aware of their reporting and harm mitigation obligations in such a situation.

We previously examined the steps organisations can take to minimise the risks of causing data breaches by human error and how our clients can prepare for the event that such a breach does occur. This one year anniversary provides a timely reminder of the need for our clients to ensure they implement practical risk mitigation procedures and policies and prepare for a potential data breach.

If you or any of your clients have any queries with respect to the NDB Scheme or the Report, please do not hesitate to reach out to us or the privacy specialists in your office.

Related Insights

• We have been warned: tighter policing of the Notifiable Data Breaches Scheme in the wake of the Banking Royal Commission