How to prepare for the OAIC’s stronger regulatory approach to enforcement of the Notifiable Data Breach scheme

Organisations, including not-for-profit organisations and schools, are on notice that the Office of the Australian Information Commissioner (OAIC) is going to take a “stronger regulatory approach” to enforcement of the Notifiable Data Breach (NDB) Scheme from 2024. The national privacy regulator announced the stronger regulatory approach is due to information security being a regulatory priority in its bi-annual report publishing statistics of reporting trends under the Scheme.

We recommend organisations prepare for this new, stronger regulatory approach from the OAIC by:

  • Understanding the types of notifications made under the NDB Scheme in 2023 – we have done this for you below
  • Considering the risks of cybercrime in Australia
  • Reviewing the determinations by the OAIC which set these higher expectations
  • Reflecting on your security vulnerabilities – consider doing a data security audit or penetration testing
  • Implementing a data breach response plan tailored to your organisation
  • Training staff to identify data breaches, report internally and implement the data breach response plan

NDB Scheme statistics from 2023

In 2023, 892 notifications were made to the OAIC under the NDB Scheme.

Health service providers made the most notifications under the NDB Scheme, making 18% of all notifications. In addition, 37% of notification involved health information being subject to the breach. This is significant, because the regulatory response and imposition of civil penalties against organisations takes into account the emotional harm caused by privacy breaches, and the breach of health data can generally have a heightened negative impact on individuals; not to mention the possibly discriminatory consequences.

Understanding types of data breaches

Cyber security incidents represented 42% of notifications:

  • 22% were compromised credentials (includes phishing and other methods)
  • 14% were cyber incidents due to social engineering or impersonation
  • 12% were from ransomware

Human error represented 28% of notifications:

  • 5% were unintended release of publications
  • 10% were emailing information to the wrong person by mistake

In July to December 2023, compromised or stolen credentials were a leading cause of all data breaches. The OAIC identifies that the large-scale data breaches in recent years have put organisations at heightened risk of cyber incidents from compromised passwords because those passwords have previously been compromised. In addition to implementing multi-factor authentication and strong password requirements (including regular changing of passwords), organisations can:

How we can help

The privacy and data security team at Moores can help you prepare for data breaches through privacy training, privacy audits and designing custom privacy and data protection procedures and internal tools for staff. We can help you respond to a data breach by assessing the breach under the Notifiable Data Breach Scheme, and helping you implement a Data Breach Response Plan.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to you or your organisation.