Part 12: Notifiable Data Breaches scheme – impact and effectiveness

11 December 2020

12.1 The Notifiable Data Breaches (NDB) scheme commenced in February 2018 and introduced new obligations for Australian Government agencies and private sector organisations that have existing information security obligations under the Privacy Act. The NDB scheme replaced the voluntary data breach notification scheme that had been in operation at the Commonwealth level since 2008.

12.2 The NDB scheme requires regulated entities to notify individuals and the OAIC about ‘eligible data breaches’. A data breach is eligible if it is likely to result in serious harm to any of the individuals to whom the information relates.

12.3The key objective of the NDB scheme is to enable individuals whose personal information has been compromised in a data breach to take remedial steps to lessen the adverse impact that might arise from the breach. By arming individuals with the necessary information, they will have the opportunity to take appropriate action, such as monitoring their accounts and credit reports or taking preventative measures such as changing passwords and cancelling credit cards.[223]

12.4 The NDB scheme also serves the broader purpose of enhancing entities’ accountability for privacy protection. By demonstrating that entities are accountable for privacy, and that breaches of privacy are taken seriously, the NDB scheme works to build trust in personal information handling across the private and public sectors.

12.5Subject to some recommended enhancements below, the OAIC considers that the NDB scheme has been effective in meeting its key objectives of improving consumer protection and increasing accountability through transparency. While the OAIC has made some suggestions for improvement, the NDB scheme generally strikes the right balance between empowering individuals to protect their privacy while placing reasonable regulatory requirements on regulated entities consistent with the broader objectives of the Privacy Act.

12.6 The OAIC’s notifiable data breaches statistics reports provide regulated entities with information about the causes of data breaches, areas of risk and how entities can improve their security posture and processes to minimise the risks of a data breach.[224]

12.7 The scheme has additional potential to uplift the security posture of regulated entities. This would be assisted by providing the OAIC with additional capability to undertake technical and forensic investigations to better support regulatory action that incentivises a proactive approach to securing personal information.

Impact of the NDB scheme

12.8 The NDB scheme has provided unprecedented visibility into how Australian entities are meeting the challenges associated with protecting personal information.

12.9 In the first 12-months of the operation of the NDB scheme, the OAIC reported quarterly on the NDB scheme, supplementing statistical insights with analysis and detailed trend data. The OAIC now publishes six-monthly reports. The aggregated insights contained in each report allow other entities and the broader public to learn from the experiences of notifying entities. The following section provides an overview of key insights from the NDB scheme since its commencement.

Notification volumes

12.10The introduction of the NDB scheme in February 2018 was widely expected to herald an increase in notifications from entities, in line with the community’s expectations for greater accountability and transparency.

12.11 The increase in notifications reflects a significant increase in entities’ awareness of and compliance with their obligations to notify the OAIC and affected individuals where a breach of personal information is likely to result in serious harm.

12.12; By way of comparison, the last global data breaches report published by DLA Piper in January 2020 indicated that there had been approximately 161,000 data breaches reported to European data protection authorities from the commencement of the GDPR on 25 May 2018 until 27 January 2020. [225] The Netherlands, Germany and the UK topped the EU member countries in the report with approximately 40,600, 37,600 and 22,000 reported breaches respectively.

12.13Updated figures are not available for all countries covered by the DLA Piper report, but statistics published by the UK Information Commissioner’s Office indicated they received a total of 11,854 notifications of ‘personal data breaches’ during 2019–­­­­­20.

12.14 Based on the DLA Piper data published in January 2020, in comparison to EU member countries and data breach notifications in 2019, Australia ranks 23rd. Australia had 3.9 notifiable data breaches per 100,000 people in the period from 1 January 2019 to 31 December 2019.[226] In comparison, for approximately the same period (28 January 2019 to 27 January 2020) the UK had 17.8 data breaches per 100,000 people, ranking 13th of EU member countries. However, it is important to note that certain entities are currently excluded from the OAIC’s jurisdiction (such as small business operators and State and Territory government agencies) and the NDB scheme has a higher threshold of ‘serious harm’ compared to the requirements for notification under GDPR. These factors likely account for the higher number of notifiable data breaches in the EU.

12.15The visibility provided by the NDB scheme, and the increase in notifications, has also enabled the OAIC to examine security practices and conduct inquiries to ensure containment, rectification and future mitigation of security risks. There have also been times when further regulatory action has been necessary, including issuing a direction to notify under s 26WR of the Privacy Act.

Sources of data breaches

12.16 The NDB scheme has provided the OAIC with valuable insights into the reasons data breaches have occurred, and how entities can improve their security posture and processes to minimise the risks of a data breach.

12.17; Malicious or criminal attacks continue to be the main source of data breaches under the NDB scheme, reflecting the continuing challenge that organisations and governments face in mitigating risks from cyber security threats. In these circumstances, mandatory data breach notification is an important mitigation strategy that has the potential to benefit both the entity and the individuals affected by a data breach. It also signals to entities that the protection of individuals’ personal information should be a priority in the digital age.

12.18 However, most data breaches, including those resulting from a cyber incident, involved a human element, such as an employee sending information to the wrong person or clicking on a link that resulted in the compromise of user credentials.

12.19 Health service providers have consistently reported the most data breaches compared to other industry sector. This is likely a reflection of the high-volume data holdings in this industry and may also indicate comparatively mature processes for identifying and reporting data breaches.

12.20 The majority of data breaches reported affect fewer than 1,000 people, with contact information the most common form of personal information lost.

Protection for individuals

12.21The key objective of the NDB scheme is to enable individuals to take steps to mitigate the risk of harm that may arise from a data breach. Since the commencement of the NDB scheme, the OAIC has observed numerous examples of organisations taking immediate steps to reduce further harm to affected individuals.

12.22; It is important to note that the NDB scheme is designed so that only data breaches that meet the ‘serious harm’ threshold are notifiable. It is not the intention of the scheme that every data breach be subject to a notification requirement. Specifically, the NDB scheme does not require the notification of minor breaches because of the administrative burden that may place on entities, the risk of ‘notification fatigue’ on the part of individuals, and the lack of utility where notification does not facilitate harm mitigation.[228]

Improved security standards

12.23 The requirement to notify individuals of eligible data breaches goes to the core of what should underpin good privacy practice for any entity – transparency and accountability. Being ready to assess and, if appropriate, notify of a data breach provides an opportunity for entities to understand where privacy risks lie within their operations, to address the human and cyber elements that contribute to data breaches and to prevent or minimise harm to individuals and the community.

12.24 Further, it is important to note that a data breach may not equate to a breach of the Privacy Act if an entity has taken reasonable steps to secure their personal information holdings under APP 11 and has otherwise complied with its broader obligations. The requirements under the NDB scheme incentivise entities to ensure they have reasonable steps in place to secure personal information in accordance with their obligations.

12.25 Since the commencement of the NDB scheme, we have observed efforts by many entities to lift their practices, such as by developing and implementing data breach response plans and improving security and privacy standards, and efforts by some entities in adopting data minimisation policies to reduce overall exposure.

Timelines for assessment and notification following a data breach

12.26 The NDB scheme requires entities to carry out an assessment of a data breach within 30 days of becoming aware of reasonable grounds to suspect that there may have been an eligible data breach, and to notify the OAIC and affected individuals as soon as practicable after it confirms that an eligible data breach has occurred.

12.27The OAIC has observed an increasing tendency for entities to conclude their assessment within 30 days, but then take months longer to conclude their investigation and thus identify all individuals at risk of serious harm. Entities defend these delays in notification by indicating that notification has occurred ‘as soon as practicable’ in accordance with the legislative requirements.

12.28 Where the assessment is not completed within 30 days, the entity must provide the OAIC with an explanation for the delay. Explanations provided to the OAIC for delays in assessment and notification of data breaches include references to the complexity of an enterprise IT environment, or the significant number of emails and documents stored in a compromised email account.

12.29 One of the key objectives of the NDB scheme is to ensure that individuals who are at risk of serious harm as a result of a data breach are notified of the breach and can take steps to reduce the risk of harm. The OAIC generally expects entities to complete their assessment of a suspected eligible data breach and notify individuals expeditiously as the risk of serious harm to individuals often increases with time.[229]

12.30The statutory timeframes under the NDB scheme aimed to address any underreporting and delays in reporting under the voluntary scheme that preceded the NDB scheme. The timeframes are intended to provide flexibility for entities to scale their response to the particular facts and circumstances of a data breach. That is, the amount of time and effort entities will expend in an assessment should be proportionate to the likelihood of the breach and its apparent severity.

12.31 The statistics demonstrate that most entities are able to comply with the statutory timeframes. However, the statistics also demonstrate that there is significant variation across industry in terms of compliance, with some entities taking longer than envisioned by the statutory timeframes under the NDB scheme.

12.32The OAIC considers that there is value in creating greater prescription around the timeframes for notification to support timely notification and engagement with the office. The OAIC considers that entities should be required to assess, investigate and notify a data breach within 30 days. A 30-day time period strikes the appropriate balance between enabling entities to complete an assessment and investigation of a data breach, while ensuring timely notification to individuals.

12.33pecifically, s 26WK could be amended so that, once an entity is aware that there are reasonable grounds to believe that there has been an eligible data breach, they must notify the OAIC as soon as practicable, but no later than 30 days, after the entity became aware that there were reasonable grounds to suspect that there may have been an eligible data breach. In other words, an entity has a maximum of 30 days from the day on which it had reasonable grounds to suspect that there may have been an eligible data breach to notify the OAIC.

12.34 Entities must then notify individuals as soon practicable, but no later than 5 days, after notifying the OAIC. This approach is supported by the flexibility provided by the notification options contained in the existing s 26WL(2). That is, the NDB scheme provides the following three options for notifying individuals depending on what is practicable for the entity in the circumstances:

• notify each individual whose personal information was involved in an eligible data breach, or
• notify only those individuals at risk of serious harm from the eligible data breach, or
• if neither option (a) or (b) or practicable, the entity must publish a copy of the statement on its website and take reasonable steps to publicise the contents of the statement.

12.35The three options for notification recognise that it may not be possible to definitively identify every individual at risk of serious harm in an eligible data breach. Entities need to balance the requirement to conduct a thorough assessment and investigation of a data breach with the timely notification to individuals. Accordingly, entities will need to select the most suitable method of notification within the proposed 30-day timeframe based on the facts and circumstances of the particular breach. The OAIC consider this will encourage entities to act promptly on a breach and ensure timely notification to individuals so they may take steps to mitigate the risk of harm.

12.36 Further, the OAIC considers that the Commissioner should have an express and clear ability to direct a notifying entity to continue to investigate a data breach and provide a subsequent notification to individuals if required in the circumstances. For example, in the event of a sophisticated ransomware attack, an entity may not be in a position at the end of 30 days to notify individuals directly, so it may publish the notification on its website as provided for in s 26WL(2)(c). In these circumstances, the Commissioner should have the power to direct the entity to:

• continue to investigate the data breach, and
• notify individuals if required once further details of the breach are established.

12.37 Finally, the OAIC considers that the recommendations outlined above should be coupled with the ability for the Commissioner to apply to the courts for a civil penalty or issue an infringement notice, in circumstances where an entity has failed to comply with the prescribed timeframes.

Assisting individuals affected by a data breach

12.38 Currently under s 26WK(3)(d), an entity must include, amongst other things, recommendations about the steps that individuals should take in response to an eligible data breach in a notification. However, there is no positive obligation on entities to take steps to help mitigate the adverse impacts or risk of harm that may arise for individuals as a result of a data breach by, for example, by assisting individuals to replace identification documents that may have been compromised or engaging a credit monitoring service for affected individuals, or monitoring the dark web.

12.39 The OAIC considers that the NDB scheme should include an express requirement for entities to take reasonable steps to mitigate the adverse impacts of risk of harm to individuals whose personal information has been involved in a breach and, to the extent possible, return an individual to the position they would have been in prior to the breach. This will further support and enhance the NDB scheme’s core objective to protect consumers while placing reasonable regulatory requirements on entities.

Interaction with other regimes

12.40As noted in the Issues Paper, other jurisdictions have enacted data breach notification obligations that Australian entities may be required to comply with. The OAIC notes that variation between privacy and data protection laws in different jurisdictions can present challenges to regulated entities. That is the reality of operating internationally in an environment where international data flows and data breaches are increasingly frequent occurrences.

12.41While there may be variation in the schemes in terms of their specific requirements, the core goal of mandatory data breach notification is the same – that is, to notify individuals if their personal data has been involved in a data breach so they may take steps to mitigate any harm that may arise.

12.42 In this way, the schemes are not in conflict, but are interoperable. The goal of interoperability is not to achieve uniformity in privacy and data protection law. Rather, interoperability recognises differences around the world and provides a bridge to ensure personal information is protected wherever it flows.[230]