Australian notifications remain at elevated levels

05 December 2018

Data breaches notified to the Office of the Australian Information Commissioner (OAIC) remain at elevated levels, with hundreds of breaches reported since the country’s Notifiable Data Breaches (NDB) scheme went live on 22 February 2018.

The latest statistics from the OAIC show that Australian organisations reported 245 data breaches between July and September this year, compared with 242 in the prior three months. Combined with the 63 data breaches notified in February and March, the OAIC has had to deal with a total of 550 breaches under the NDB scheme.

Some 57% of the breaches in the last three months were from malicious data or criminal attacks, while 37% were the result of human error (20% of data breaches over the quarter occurred when personal information was sent to the wrong recipient). Most data breaches (63%) in the period involved the personal information of 100 individuals or fewer. 85% of the breaches involved contact details, while 45% contained financial information.

Of the 139 data breaches from a malicious or criminal attack, 69% involved cyber incidents, while many involved the exploitation of vulnerabilities involving a human factor – over half involved a phishing email - as well as incidents involving malware, ransomware and hacking by other means.

The OAIC annual report, released shortly before the quarterly figures, showed the contrast of notifications under the mandatory scheme versus the previous voluntary arrangement. The regulator received 305 reports under the NDB scheme between February and June 2018, compared to 114 voluntary reports in 2016–17.


Data breach laws, including notification and reporting requirements, continue to tighten around the world. Canada became the latest country to introduce a mandatory breach notification scheme on 1 November, following wide ranging data protection and notification requirements in the EU under the GDPR, which was implemented in May 2018.

In the US a number of states, including Arizona, Vermont and Colorado, have bolstered their existing data breach notification requirements. In 2017, Weight states expanded their data breach notification laws. On 1 September 2018, Colorado enacted some of the most rigorous data breach notification laws yet, broadening the definition of “personally identifiable information”. It also imposed a 30-day breach notification deadline.

In June, California passed laws that would introduce data privacy rights, similar to those found in the GDPR. Following a number of large data breaches in recent years, calls for a federal privacy law have also increased. Republican Will Hurd, the chairman of the Information Technology Subcommittee of the House’s Committee on Oversight and Government Reform, said recently that a US version of GDPR was a possibility. In November, Senator Ron Wyden said he will introduce a bill to introduce tougher privacy rules to curb the misuse of consumer data.

The Consumer Data Protection Act would give the Federal Trade Commission the authority to fine companies up to 4% of revenue and jail executives who mishandle consumer data.

For more articles like this, download our Cyber Decoder
Cyber business interruption ranked as top risk bgLearn more about cyber insurance >>


  • Sarah Stephens As part of Marsh JLT Specialty's London-based Financial Lines Group, Sarah and her team work both directly with our clients and with network colleagues and independent partners to make sense of cyber, technology, and media E&O (PI) risks and create leading edge bespoke insurance solutions in the London market.

    Prior, Sarah spent 12 years with Aon in a variety of roles. Her last role at Aon was Head of Cyber & Commercial E&O for the Europe, Middle East, and Africa (EMEA) Region, working with colleagues across business groups and clients in the region to identify, analyse, and drive awareness of cyber risks, exposures, and both insurance and non-insurance solutions.

    Previously, Sarah spent seven years with Aon’s US Cyber and Errors & Omissions practice group thinking nonstop about cyber insurance way before it was cool. Her first four years at Aon were spent in the Account Management group working with large clients and developing a keen eye for excellent client service.

    For further information, please contact Sarah Stephens, Head of Cyber on +44 (0)20 3394 0486