Thousands of victims identified shortly after NDB came into force

Just six weeks after Australia launched its new Notifiable Data Breach (NDB) scheme, more than 60 leaks have already been reported.

The Office of the Australian Information Commissioner (OAIC) has received 63 notifications of data breaches since the introduction of NDB in February.

More than 50% of the compromises were due to human error, but 44.5% were due to malicious actors. Failures in IT systems caused just two of the data leaks.

This figure is a stark contrast to the 2016-2017 financial year, when reporting was non-compulsory, during which the OAIC received just 114 admissions.

Eight of the breaches were reported within the first six days of the legislation being enacted, according to the OAIC.

Businesses conducting legal, accounting and management services made up 16% of these breaches, while financial companies were 13%.

But the industry with the largest amount of breaches was the healthcare sector, which was outlined recently as a major target for cyber-attacks.

Leaked data included contact details, financial information, health records, and ID documentation.

While 73% of breaches affected less than 100 people, some cases compromised the information of between 10,000 and 99,999 individuals.

It isn’t yet clear how many people were affected in total.

The law deems it mandatory for organizations to report data breaches if there is a likelihood it could pose a “serious harm” to the victims.

Speaking to The Daily Swig Patrick Fair, partner at law firm Baker & McKenzie, provided some additional insight into what is likely to be considered ‘serious harm’ in the eyes of the OAIC.

“When the legislation was in draft, submissions were made to the government that a common law definition of harm should apply,” Fair stated.

“However, the government has taken the view that in the area of privacy, a lower threshold encompassing psychological and emotional harm should apply.”

Fair said he expected more guidance around the meaning of ‘serious harm’ to emerge from decisions relating to this new regime over time.

Until then, however, the Sydney-based legal expert said organizations would likely err on the side of caution when it comes to disclosing breaches.