Understanding the Notifiable Data Breaches (NDB) Scheme

Since February 2018, Australian businesses have been required to notify the Office of the Australian Information Commissioner (OAIC) and affected individuals about eligible data breaches under the Notifiable Data Breaches (NDB) scheme.

What is an Eligible Data Breach?

An eligible data breach occurs when:

1. There is unauthorized access to or disclosure of personal information held by an organization
2. A reasonable person would conclude that the access or disclosure would likely result in serious harm to any individual
3. The organization has been unable to prevent the likely risk of serious harm with remedial action

The "Serious Harm" Threshold

Serious harm can include:

• Physical harm or threats to safety
• Identity theft or fraud
• Financial loss
• Psychological harm or humiliation
• Damage to reputation
• Loss of employment or business opportunities

Notification Requirements

Timeline

Organizations must notify the OAIC and affected individuals as soon as practicable after becoming aware of an eligible data breach. While there's no specific timeframe, the OAIC expects prompt notification.

What to Include

Notifications must contain:

• A description of the breach
• The kinds of information involved
• Recommendations for individuals to reduce harm
• Contact details for further information

Who to Notify

1. OAIC: Submit a statement through the OAIC's online form
2. Affected individuals: Direct notification where practicable
3. Public notification: If direct contact isn't possible

Assessment Process

Step 1: Suspect a Breach

This could result from:

• Security incident alerts
• Customer complaints
• Internal audits
• Third-party notifications

Step 2: Contain and Assess

Immediately:

• Contain the breach
• Preserve evidence
• Assess the scope
• Determine if it's an eligible data breach

Step 3: Remediate

Take steps to prevent serious harm:

• Reset passwords
• Implement security patches
• Enhance monitoring
• Review access controls

Step 4: Decide and Notify

If remediation doesn't prevent likely serious harm, prepare and submit notifications.

Case Studies

Example 1: Ransomware Attack

A healthcare provider experienced a ransomware attack encrypting patient records including medical histories and treatment details. Despite paying the ransom, there was evidence of data exfiltration.

Outcome: Eligible data breach requiring notification due to sensitive health information and potential for serious harm.

Example 2: Lost Laptop

An employee's laptop containing encrypted customer data was stolen from their car. The laptop had full-disk encryption enabled and no evidence of access.

Outcome: Not an eligible data breach due to effective encryption preventing unauthorized access.

Example 3: Email Misconfiguration

A marketing email was sent to 500 customers with all email addresses visible in the "To" field instead of "BCC".

Outcome: Required assessment but likely not eligible due to low risk of serious harm from email address disclosure alone.

Preparing Your Organization

1. Data Breach Response Plan

Develop and document:

• Incident detection procedures
• Escalation pathways
• Assessment criteria
• Notification templates
• Recovery procedures

2. Regular Training

Ensure staff understand:

• How to recognize potential breaches
• Reporting procedures
• Their responsibilities
• The importance of timely action

3. Technical Measures

Implement:

• Intrusion detection systems
• Security information and event management (SIEM)
• Regular vulnerability assessments
• Incident response tools
• Forensic capabilities

4. Third-Party Management

Include NDB requirements in:

• Vendor contracts
• Service level agreements
• Due diligence processes
• Ongoing monitoring

Common Mistakes to Avoid

1. Delaying assessment: Start immediately when you suspect a breach
2. Inadequate investigation: Thoroughly understand the scope and impact
3. Poor communication: Use clear, non-technical language
4. Incomplete notifications: Include all required information
5. Ignoring follow-up: Continue to update affected parties as needed

Penalties for Non-Compliance

The OAIC can impose civil penalties up to:

• $2.5 million for individuals
• $50 million for bodies corporate, OR
• Three times the value of benefits obtained, OR
• 30% of turnover during the breach period

Beyond financial penalties, non-compliance can result in:

• Enforcement actions
• Adverse publicity
• Loss of customer trust
• Regulatory scrutiny

Getting Help

Navigating the NDB scheme can be complex. DataSentry provides:

• Breach readiness assessments: Evaluate your preparedness
• Response plan development: Create customized procedures
• 24/7 incident support: Expert guidance when breaches occur
• Training programs: Educate your team on requirements

Resources

• OAIC NDB Scheme Guidelines
• NDB Notification Form
• OAIC Data Breach Preparation Guide

---

Need help ensuring your organization is prepared for potential data breaches? Contact DataSentry for a comprehensive readiness assessment and response planning assistance.