Have you heard? Australia's Notifiable Data Breaches (NDB) Scheme started one month ago.
After only a few short weeks, we have learned that Australian companies and other organisations have disclosed some 31 notifiable data breaches (called "eligible data breaches" under the Privacy Act 1988), some of which occurred before the NDB Scheme came into operation. While the raw number of breaches is concerning in itself, this also suggests that Australian businesses are taking their obligations seriously under the NDB Scheme.
Breaches reported during the NDB Scheme's first month have included a significant email breach suffered by shipping company Svitzer Australia (Svitzer), which affected almost half its Australian employees.
Between 27 May 2017 and when Svitzer was alerted to the breach on 1 March 2018, approx. 50,000 to 60,000 emails from three Svitzer employees' email accounts were secretly auto-forwarded outside the company. These emails may have contained sensitive information including tax file numbers, superannuation account numbers and the names of employees' next of kin.
The NDB Scheme applies to organisations governed by the Privacy Act. It requires the organisation to assess and notify customers and other individuals if their personal information has been disclosed or accessed in a way likely to cause serious harm. If so, companies must notify both the affected individuals about steps they can take to reduce the risk of serious harm, and also the Australian Information and Privacy Commissioner of the data breach. These steps need to be taken as soon as possible, and usually within 30 days of becoming aware of the data breach.