Notifiable Data Breach Scheme to be enforced with new force: late reporting no longer tolerated

As part of the stronger regulatory approach of the Office of the Australian Information Commissioner (OAIC), there is a renewed focus by the national privacy regulator on organisations reporting more than 30 days after a data breach. This comes with a clarification that the clock starts ticking (the 30-day reporting obligation) from the moment “a reasonable person would conclude that the access or disclosure would be likely to result in serious harm to any of the individuals to whom the information relates”, and not when an investigation is completed. This means, if, at any time during a cyber incident investigation, the organisation has enough information to reasonably conclude that the data breach would be likely to result in serious harm to any of the individuals to whom the information relates – the clock has started.

The OAIC demonstrated its stronger regulatory approach to the Notifiable Data Breach (NDB) Scheme in 2023 by making two determinations against organisations who reported under the NDB Scheme but did not meet the 30 day reporting requirement: 

  • Pacific Lutheran College (Privacy) [2023] AICmr 98 (24 October 2023)
  • Datateks Pty Ltd (Privacy) [2023] AICmr 97 (24 October 2023)

Specifically, the OAIC determined that both Pacific Lutheran and Datateks failed to:

  • undertake an assessment of the data breach in an expeditious manner; and
  • take all reasonable steps to complete the assessment within 30 days.

What caused the data breach?

In both Pacific Lutheran and Datateks, the data breach was caused by an email address of a staff member of the organisations being subject to unauthorised access by a third party who then used that email account to send phishing emails to other staff in the organisation and external contacts. More information about cybercrime statistics is here. The unauthorised access to the email accounts was identified within one day and both organisations swiftly commenced investigations.

This swift identification of the data breach and commencement of an investigation was not sufficient to demonstrate all reasonable steps had been taken to complete the assessment of the data breach within 30 days.

The Privacy and Data Security Team at Moores also publish summaries of the NDB statistics reported by the OAIC each year: 2022 NDB statistics and 2023 NDB statistics

What needs to happen within 30 days?

The OAIC clarified that the reporting obligation arises when an eligible data breach is identified and not:

  • when the investigation into the data breach is concluded;
  • when the organisation receives a report from the IT provider they have engaged.

Critically, the OAIC determined that organisations cannot wait for the investigation to be concluded to make the determination as to the requirement to report and cannot “pause” the 30 day period by appointing an IT company to conduct an investigation into the breach.

When does a data breach become an eligible data breach? 

An eligible data breach includes unauthorised access to information that a reasonable person would conclude would be likely to result in serious harm to any of the individuals to whom the information relates. This means if, any at point during a data breach investigation, the organisation receives information that means there is a reasonable belief the unauthorised access is likely to result in serious harm to an individual to which the affected information relates – the 30 days starts.

A key factor is that the organisation does not need to know that serious harm has or will result from the unauthorised access – it is enough that serious harm is likely.

How we can help

We can help you through the process of managing data breaches: from preventative security audits and training, to implementing a data breach response plan, to making the assessment as to your reporting obligations and implementing learnings from the breach and privacy-by-design. Get in touch with our Privacy and Data Security Team to arrange a time to meet.

Contact us

Please contact us for more detailed and tailored help.

Subscribe to our email updates and receive our articles directly in your inbox.

Disclaimer: This article provides general information only and is not intended to constitute legal advice. You should seek legal advice regarding the application of the law to you or your organisation.