Lessons from the Notifiable Data Breach Scheme

The Notifiable Data Breach (NDB) Scheme requires organisations subject to the Privacy Act 1988 (Cth) (Privacy Act) to report eligible data breaches to the Office of the Australian Information Commissioner (OAIC) within 30 days.

Note: There is a current proposal to shorten this reporting period to 72 hours, bringing it in line with Europe’s requirement under the General Data Protection Regulation, and most reportable conduct schemes in Australia.

The OAIC biannually publishes statistics about the reporting it receives under the NDB Scheme, the trends and themes from which we have summarised here for you.

In 2022, there were 890 notifications to the OAIC. Of these, 503 were malicious and criminal attacks, 320 were human error and 33 were a system fault.

Malicious or criminal attacks are increasing.

Malicious and criminal attacks are consistently the largest cause of eligible data breaches. Due to high profile data breaches in the latter half of 2022, reporting significantly increased (41%) from the January to June reporting period to July to December.

Increase in malicious or criminal attacks:

There are different types of malicious and criminal attacks, including phishing and ransomware. By far the most common type of malicious and criminal attack is a cyber security incident (76%). This shows the increasing connection between privacy and data security. The Australian Cyber Security Centre (ACSC) has guidance on improving cyber security to prevent these incidents.

It is worth noting that, ultimately, even cyber security incidents are caused by human error, whether this is system design or more direct action, such as clicking on a suspicious link. The prevalence of these cyber security incidents (ransomware, compromised passwords, hacking, malware) shows an area for improvement in employee cyber literacy. While many organisations run phishing training and require passwords to be regularly changed, this can in fact create a sense of false security that a software system will intercept all threats, whereas human reasoning is in fact increasingly required to ward off the sophisticated types of cyber threats which are currently prevalent.

Human error is steady at one third of breaches

It has been a steady statistic that around one third of eligible data breaches under the NDB Scheme (since 2017) have been caused directly by human error. This can be the “low hanging fruit” organisations can address quickly, while working in parallel on more complicated technological solutions to cyber threats.

The most common human error eligible data breach is emailing personal information (PI) to the wrong recipient. The second largest type is unintended release or publication. The graph below contains more information.

There are different ways organisations can seek to address human error breaches, including human methods such as training, and technological methods such as automatic delays on external emails, so staff can pull back emails sent in error, or requiring publications to be tested in a protected, such as offline, environment.

How we can help

We can help by working with you to identify areas of risk and exposure for your organisation regarding data security and the NDB scheme. We do this by conducting tailored privacy audits of your organisation’s operations, and working with you to design solutions to reduce any identified risks, and then conducting staff training.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

Authors