Exposure alert:

Organisations face multiple data security threats daily in the form of cyberattacks including malware and ransomware, to phishing attacks and social engineering. As these threats become ever more sophisticated, business leaders must demonstrate to their organisation and their stakeholders a serious intent to address weaknesses.

Is it a Notifiable
Data Breach?
A ransomware attack in 2021 on payroll system provider Frontier Software exposed the personal details of its clients...
Frontier Software 

Case study

Confidential employee information, namely the results of drug and alcohol tests of prospective graduate paramedics collected...
Ambulance Victoria 

Case study

Logistics group Toll Holdings was the victim of a ransomware attack in early 2020, forcing it to shut down systems across multiple sites and business units.
Toll Group 

Case study

What is a Notifiable Data Breach?

A data breach becomes notifiable when the information involved is deemed likely to result in serious harm to any of the individuals affected, especially if remedial action would not reduce that risk.

Identifiable data, data that can be connected to a person, is the most serious breach and this is when action must be taken to alert people and organisations that their privacy has been compromised.

The definition of harm is broad, from unwanted marketing and spam emails to reputational damage, emotional distress, financial loss or identity theft.

Any organisation or agency covered by the Privacy Act 1988 must notify every affected individual as well as the OAIC if a data breach involves identifiable information. For more information about responsibilities under the Privacy Act, visit the OAIC website.

How quickly do I need to notify?

Organisations have 30 days to determine if a breach is notifiable. Communications to individuals must include recommendations about the steps they should take in response to the data breach.

The Australian Information Commissioner has broad powers to enforce penalties against businesses that interfere with an individual’s privacy. The maximum penalty for successful prosecution is up to $402,000 for individuals and $2.1 million for corporations.

The Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 gave the Commissioner further powers to obtain information and documents regarding an actual or suspected eligible data breach.

What isn’t a notifiable breach?

If an entity acts quickly to remediate a data breach, and as a result of this action the data breach is not likely to result in serious harm, there is no requirement to notify any individuals or the Commissioner.

Types of Notifiable Data Breaches

Malicious attacks are the cause of 70% of notifiable data breaches, largely through ransomware, compromised or stolen credentials, or phishing emails that have exposed company networks.

Another 26% were a result of human error, which includes personal information being sent to the wrong recipient, an unauthorised disclosure such as an unintended release and failure to use BCC on an email.

Few breaches result from a genuine system weakness or fault, or forceful system entry from hackers and cybercriminals.

Ransomware attack: Malicious code (malware) deployed within a network that encrypts files, and attackers demand a ransom in exchange for the encryption key to unlock access to the files. Usually comes with a threat to release sensitive or personal information to buyers on the dark web.

Privacy breach: The exposure of personal or sensitive information that could be exploited or lead to a person being harmed. Privacy breaches may be the result of malicious actions, such as a network attack or unauthorised access, or accidental exposure such the loss of tools or documents that contain the information.

Supply chain attack or breach: This is the result of information belonging to one organisation that has shared it with a third party, who is themselves the victim of a malicious or accidental data breach. While the attacked entity is responsible for the breach, the organisation that shared the data remains the custodian.